Sophos Cloud Optix
iOS 6.1.3 has only just been released by Apple, and already a security hole has been followed – allowing anyone to bypass the passcode lock on iPhones, and access private data on the device.
Embarrassingly for the Cupertino company, one of the main reasons for installing iOS 6.1.3 was that it promised to fix other security flaws that allowed the lock screen to be bypassed.
The flaw was found by “videosdebarraquito”, who seems to be making a hobby of embarrassing Apple by uncovering lock bypass flaws. In a video he demonstrates that it’s not particularly complicated to avoid the iOS 6.1.3 passcode lock if you have physical access to the device and a widget for removing the SIM card.
Here is videosdebarraquito’s video, where he demonstrates how the passcode can be bypassed:
It appears that circumventing the passcode lock can allow an unauthorised party access to the device’s photo gallery and use the phone.
The good news is that this security flaw can be easily prevented. The passcode bypass relies upon use of the “Voice Dial” feature of iPhones, which is disabled on devices using Apple’s Siri voice recognition feature.
If you *aren’t* using Siri, then the recommendation is to disable “Voice Dial”. If you do that, your device shouldn’t be prone to this passcode bypass.
You can disable “Voice Dial” on your iPhone by going to Settings / General / Passcode Lock. (Note that if you have Siri enabled you won’t see an option for “Voice Dial” there, as it has been automatically disabled).
Easy as it is to avoid this flaw putting your iDevice at risk, it’s still embarrassing for Apple as it comes so soon after other passcode lock bypasses were publicised.
Let’s hope that Apple fixes this flaw soon, and shuts a permanent door on passcode lock bypasses.
I wonder why apple.com doesn't post anything about this on their website and/or if this is indeed a security flaw, can I return my iPhone and get a refund?
Isn’t that the exact same video as the 6.1.2 bug? What was fixed if the bug is still there?
It's not exactly complicated, true, but not exactly easy either. I'd dare say that the benefit of voice dialing far outweighs the risks of this particular hack.
I suppose if you're not using voice dialing, you're just back to the old adage: "if you don't need it, disable it." It's not something I'm going to warn friends and family about, though…
Perform the most unlikely acts simultaneously, strangle a rubber chicken, sacrifice a virgin**, speak Satan's name three times backwards and you can bypass the security on iPhone/Galaxy/Whatever.
I have serious concerns about the mental well-being of those who not only discover such arcane procedures, but who spend time experimenting to find what sequences of odd behaviour might produce a result.
Unless the phone manufacturers start employing idiot-savants to test their new editions of each OS, it's impossible to guard against, as almost any normal, rational, well-balanced being wouldn't even be able to conceive of some of these "action chains".
**Good luck in finding one…
Are you talking about this one?
http://nakedsecurity.sophos.com/2013/03/05/samsun…
Samsung Galaxy has a bug very similar and potentially more devastating because it allows complete access to the entire system.
There are so many vulnerabilities in the Galaxy family and almost anything covered here.
Here's a tip: http://threatpost.com/en_us/blogs/vulnerabilities…
how do you know he did hat bypass on ios version 6.1.3 he might have done it on an older version dont believe anything you see
I'm assuming this would only apply to iPhones with SIM cards. So probably my iPhone 4 on Verizon isn't affected (no SIM to remove).
This one just saved my wife. At least she can now manually copy all her contacts out before doing a factory reset. So while my mind boggles as to how this was discovered, I am glad that it was.