iPhone Security Flaw Is the Tip of the Iceberg

We previoiusly reported on a security hole in the latest iPhone software exposes e-mail, text, and voice messages to whoever gets a hold of the device despite it being password-protected. Basically, clicking emergency call and double-clicking the “home” button brings up the favorites on iPhone 2.0.2. In actuality, however, passcodes can actually be cracked in every version of iPhone software to-date. While the method utilizing emergency calls is likely to disappear in the next version of the firmware, other security bypasses are readily accessible.

Per our friend Jonathan Zdziarski:

“Those interested in data security should still be quite concerned about the iPhone. The alternative methods for cracking the passcode - namely, the ones I’ve documented in the book - are by and far more sustainable techniques, which take advantage of flaws in the iPhone’s design itself. Until hardware changes are made to the iPhone, it is very likely going to continue to be very easy to break into one.

“The iPhone is a computer, just like a desktop computer, and so it can easily be booted in such a way that one can mount the disk and delete or modify the device’s configuration - including the passcode configuration. Cracking the iPhone’s passcode is about as complex as changing the root password on a desktop machine, given physical access.

“I’ve been making these techniques available to law enforcement for several months now. I’ve found even the most novice cop-geeks have been able to crack the iPhone’s passcode and install my forensics toolkit on the device. Agencies ranging from local po-dunk sheriffs to federal and international agencies have used these techniques to conduct lawful, warranted forensic investigation of iPhone devices since late 2007.”

The bottom line: don’t allow physical access to your iPhone, even after the widely publicized emergency call bypass is fixed.