Another iOS 7 lockscreen hole opens up - call anywhere in the world for free!

Filed Under: Apple, Featured, iOS, Vulnerability

Another iOS 7 lockscreen bypass has surfaced.

This one lets you make calls anywhere in the world for free.

OK, not really "for free."

You may not have to pay, but someone does, and that person is the owner, who probably assumed that the "lock" on the phone actually did - how can I put this without sounding tautological? - lock the phone part of the phone.

A keen iOS 7 early adopter from Ramallah in the West Bank, Karam Daoud, now apparently a business development guy but who worked in bug testing in the mobile space in a previous life, found the flaw.

By all accounts, it is reliably exploitable.

Unlike the first widely-publicised lockscreen bypass, there isn't an easy workaround for this one.

The previous one was the "all your photos are belong to a social network whether you wanted it or not" flaw we wrote about last week.

That one can be worked around by removing access to Control Center from the lockscreen.

The new flaw involves telling the lockscreen you want to make an emergency call, which is a option that, understandably, can't be turned off. (You can even make emergency calls without a SIM card, let alone with the phone locked - and that really is a feature, not a bug.)

Then you simply dial the number you want - the emergency call interface apparently doesn't limit what you can dial, merely where you can connect after doing so.

Instead of just pressing [Call], however, you apply bug-finder's dexterity and press [Call] repeatedly and rapidly.

It seems that if you are insistent enough, and get the cadence of your clicks just right, iOS gives in and connects you to the number anyway.

→ An earlier iOS lockscreen hole involved actally placing emergency calls and then hanging up, hopefully before they went through. We strongly urged you not to try that exploit, even on your own device, as we considered it a rotten, and very likely illegal, thing to do. Here, you use the emergency call screen merely to get the option to dial, but no emergency call is made.

In other news, there's already been an iOS 7 update, taking superearly adopters to 7.0.1.

But that update doesn't appear to be a response to either of lockscreen bugs.

Instead, reports Ars Technica, it's a fix for the fact that:

...the fingerprint scanner's ability to enable iTunes purchases didn't quite work correctly — the iPhone 5S would prompt for a password instead of simply accepting the fingerprint.

So, there's a bug fix to improve your ability to spend money easily in Apple's cloud.

Let's hope there's another bug fix really quickly that removes the ability for other people to spend your money easily on the mobile network, and to share your private photos with the world.

In the meantime:

  • Consider removing the Control Center from the lockscreen to prevent the "photo sharing" lockscreen hole. (See image above.)
  • Be wary whom you hand your new iPhone to "so they can have a look-see."
  • If your phone gets lost or stolen, use a mobile control application or contact your service provider to have it locked out of the network as soon as you can.
  • Consider sticking with iOS 6.1.3 for the time being, since iOS 7 is much more about new features that security fixes.

Of course, sticking with iOS 6.1.3 leave you open to the "six characters to crash" bug and the "juicejacking" hole that lets a dodgy charger infect your iDevice with malware.

But the first of those bugs doesn't seem to be exploitable for remote code execution; and the second is easily avoided simply by charging your device yourself from a known-good charger or PC.

, , , , , , , ,

You might like

3 Responses to Another iOS 7 lockscreen hole opens up - call anywhere in the world for free!

  1. Actually Paul, there's an easier way to make a call when an iPhone is locked - simply use Siri and it works perfectly unless it was specifically explicitly disabled in the passcode setup. That's a feature by the way not a bug and as for the 'make calls anywhere in the world', that's often not the case because carriers often disable international calling unless requested or you request it be disabled. You might have recommended that people enable and change their SIM PIM for additional security, and of course one can call their carrier to deactivate the SIM card.

    This type of bug routinely pops up on Android devices (e.g. google 'another lockscreen security bug found in Samsung Android phones); do you use the same level of hyperbole for them?

    • Paul Ducklin · 709 days ago

      We have written regularly and critically about Android lock bugs, yes.

      In last week's article I expressly noted that Android was plagued with the same problem of too much functionality at the lockscreen, and linked to our previous coverage of Android issues.

      The SIM PIN doesn't help here (though I agree it is a great idea) and I *did* recommend calling your carrier promptly if your phone goes missing.

  2. Ronald Hunter · 708 days ago

    The best way to make sure this isn't a problem is to keep your iPhone on your person, or in a secure place, at ALL TIMES. Not so difficult, is it?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog