Simple solution: don't let your phone lying around.

TimurY

well, why do i see a 2.0.3 version on the way? :)

ddragos

unless you have super secret info on your iphone i don't think it should be a huge flaw...

Geogeo

Hmm, so how many of us actually password protect their phones?

eblingmis

oh.. nice

bookmark

pwnd.

helfrez

I've got my ipod set to show on home button double click, so as far as i'm concerned this is not a security issue...

futureboy

@.max: The only workaround is this: Fix It.

Jesus Diaz

@helfrez: Exactly. The implications for the enterprise-which Apple is pursuing aggressively-and also private consumers are huge. There are no excuses for this kind of problem and trying to minimize it only harms Apple. I'm sure they will release a fix tomorrow.

RIM and Nokia must be jumping of joy.

Jesus Diaz

Possible workaround: will this trick work if I have iPod set to show up on Home double click instead of Favorites?

That's funny because I can't verify it myself. I have updated to 2.0.2 yesterday and now I can't turn on Password Lock. But I have a guess why :)

.max

@WinkMe: Not big a deal? Oh, wait, you are from the Apple fanboy brigade. How can anyone excuse this inexcusable bug is beyond me.

The bug is a huge security breach: one in which a password doesn't protect your device. This is enough for business to stop buying iPhones and recall whatever iPhones they have on the field.

There's no excuse for this. Apple fucked this one up because 1) is big, 2) is obvious. Now they have to fix it.

Jesus Diaz

Agreed with the comment about not leaving your phone lying around. Besides it's not like it can't happen with other phones. Anyone who would have the time to do some serious damage with your phone has stolen it, so how is this any different then them getting your laptop with all your info there, aside from the being able to call people? Plus if your phones been stolen you can have your carrier stop service on it immediately.

Omadon

HILARIOUS!!! Now I am no fan of Microsoft or WiMo, but had this been a flaw in Windows mobile, or say Android...OMG the world would stop to point fingers and talk trash about security. Every other post would be about switching to an IPhone.

But let it be a Iphone with an issue, and the first comment is "who password protects there phone...no biggie?"

and next up, "no super secret info on the phone". What happened to enterprise ready?

Followed by a resounding "Don't leave your phone around"?

You, my fine gentlemen, have officially earned the label of "Tool"

helfrez

I got tired of unlocking it every other song in iPod mode. I'm afraid to say that my iphone is as open to violation as the legs of a prom night date.

I'm glad to see that I wasn't really missing anything...security wise...

CribbageLeft

Wow there really Promoting 2.0.2.. and know this..

DJJS

NEWSFLASH: Huge flaw pointed out by Jesus Diaz is said to be.... not.that.big of deal. Life continues.

WinkMe

@ghmlco: 'Course, if it's THAT critical, it probably shouldn't be on your phone anyway."

What's critical? Is your mail critical? Mine is. Is your contact information critical? Mine is. Is your SMS database critical? Mine is.

Following your logic, we shouldn't store ANYTHING in ANY place. This is not how security works. Please educate yourself. It's easy, you can start with the computer security entry in Wikipedia.

"And I'm sure that anyone who finds a locked iPhone will enjoy your detailed, step-by-step instructions on how to break into it..."

Because security through obscurity is the way that the world moves forward. Because having to use third-party add-ons to make a product more secure is the way a product is complete.

Thank god Apple is not as shortsighted and apologetic. They just act.

Jesus Diaz

@Neone: @futureboy: This is a huge security issue and there's no way around that. Being able to break a password with a button click and access the most private information is a huge security breach in the iPhone, in any computer, in Gmail, or in any device or system in the planet.

Stop the fanboyism. It hurts your Apple "cause".

Jesus Diaz

Probably why you should use a app like 1Password or eWallet to store anything REALLY critical. 'Course, if it's THAT critical, it probably shouldn't be on your phone anyway.

And I'm sure that anyone who finds a locked iPhone will enjoy your detailed, step-by-step instructions on how to break into it...

ghmlco

I really don't see this as a big deal.

SMSDHubbard

Holy shit! I just tried it and it worked! I will not be letting this thing out of my sight. Password is still better than no password though...

The Magnificen7

Just set 'home button' to iPod in preferences.

Job done.

Just raving on about something which is... rather silly.

true perhaps it should be disabled, but to call it a HUGE iPHONE SECURITY FLAW with that simple workaround...

no.

Neone

Maybe i'm missing the point Jesus. Simply because in an enterprise anyone who wants the info, and has stolen your device, with the time and the magical internet could figure out how to get the information. Just like a laptop, you can never lock down the iPhone enough that someone couldn't get the info from it. And as a side, I'm not sure if you were talking about me in the apple fan thing, but I am an Apple user and general supporter. I'm just looking for clarification in how this is a HUGE issue.

Omadon

@futureboy:

Ditto that!

The_Raven

@CribbageLeft: Just set double tap home button to ipod. No security issues, and you don't have to unlock your phone to reach the ipod either.

Badmofo

@Neone: Do you actually understand security? Do you realize that a product like the iPhone has to be secure onto itself, with no user intervention whatsoever? If you set a password, the password should protect your device, period. No way around that.

The fact that the user can avoid the security flaw doesn't change the fact that the security flaw is there for anyone to exploit in any device that hasn't been protected by the user. The problem is that not every iPhone user in the planet will read this article or any other in the Web and take adequate measures.

There's no excuse for security flaws, which is why companies like Apple take them so seriously when they appear.

Jesus Diaz

@Jesus Diaz: Ah, okay I get it now. I see why it's a huge issue. I agree, the system shouldn't be so easy to get into in the first place. Thanks for explaining it to me!

Omadon

Hm...I'm currently using the 2.0.1 software update and this flaw doesn't exist. Perhaps I'll just stick with it until this is resolved.

ChelseaCosta

Setting the preference 'home button' to iPod doesn't allow you to get into mail, contacts, whatever.

So no private information is revealed.

I still don't see the issue.

And I am not even an Apple Fanboy like most others here, I am just pointing out a solution to your problem.

Neone

There are less critical flaws in Vista, yet people bitch and moan about them and act like they make Vista unuseable.

BAH!

This is a serious flaw but being the obsessive fanbois you are you wont admit it.

Napalmhaze

J.D. I understand where your coming from on "its a huge security breach", but I dont find it threatening to your job or information.... unless your phone is constantly being put down in public. If this was some sort of software error where, lets say, people could download all personal information of your when you connect to a 3g network or wifi, I would call that a HUGE breach.

My rule of thumb is this: if your dumb enough to leave your stuff laying around in a potential place to get your more than normal priced phone stolen or dont care about it enough to lose it (I don't care if your forgetful, if its THAT important to you, you remember) you deserve to have your phone, information stolen, lost, broken and anything else that could cause you stress happen to you.

How dare you call me a fanboy of anything. Yes, I have an Iphone 3g and yes I love it (due to my previous phones sucking balls, its a whole new experience for me), it doesnt mean i will "let shit slide" just because its an apple product. I actually think apple sucks past the iphone. I feel that alot (if not all) of their stuff is too restricted and dumbed down.... so let me raise my middle finger and give you a resounding virtual "fuck you"

oh and.... ITS NOT THAT BIG OF A DEAL UNLESS YOU CANT KEEP YOUR SHIT TOGETHER

Want a fix/ work around for this? here it is:
dont be a dumbass and lose your phone... LOOK IT NEVER REALLY HAD A PROBLEM NOW DID IT?

WinkMe

J.D. I understand where your coming from on "its a huge security breach", but I dont find it job threatening or information.... unless your phone is constantly being put down in public. If this was some sort of software error where, lets say, people could download all personal information of your when you connect to a 3g network or wifi, I would call that a HUGE breach.

My rule of thumb is this: if your dumb enough to leave your stuff laying around in a potential place to get your more than normal priced phone stolen or dont care about it enough to lose it (I don't care if your forgetful, if its THAT important to you, you remember) you deserve to have your phone, information and anything else that could cause you stress happen to you.

How dare you call me a fanboy of anything. Yes, I have an Iphone 3g and yes I love it (due to my previous phones sucking balls, its a whole new experience for me), it doesnt mean i will "let shit slide" just because its an apple product. I actually think apple sucks past the iphone. I feel that alot (if not all) of their stuff is too restricted and dumbed down.... so let me raise my middle finger and give you a resounding virtual "fuck you"

oh and.... ITS NOT THAT BIG OF A DEAL UNLESS YOU CANT KEEP YOUR SHIT TOGETHER

Want a fix/ work around for this? here it is:
dont be a dumbass and lose your phone... LOOK IT NEVER REALLY HAD A PROBLEM NOW DID IT?

WinkMe

This isn't huge huge HUGE, but if you can password protect a device, it should at least protect it. I mean really - why friggin' bother?

Also: You're total apple fanboys
But: Whatever, like, this is nothing, whatevs Giz

Some comments on Apple stories really restore my faith in complaining.

jbang

"What's critical? Is your mail critical? Mine is. Is your contact information critical? Mine is. Is your SMS database critical? Mine is."

All of those things are critical, yes. Private? Perhaps. Most of my names and addresses and numbers are in the phone book or can be found on the web. Confidential? Probably not. Neither my phone, nor yours, I suspect, contains top-secret Iranian war plans, the president's private number, or even the secret formula for CocaCola.

I also suspect that if found, the average iPhone SMS message queue consists of "OMG! Did you see what Becky is wearing????" Besides, my phone was already "at risk", as I don't use the passcode lock in the first place.

So IF someone were lose their iPhone, and IF it's locked, and IF it contained something earth shattering, and IF the joker who picked it up read Gizmodo and knows how to unlock the phone to the extent this scheme allows, and IF he manages to find said information, and IF he's in a position to do anything about it, THEN you could have a problem.

Care to work the odds?

Should it be fixed? Yes. Will the earth fall out of planetary alignment until is? No.

"Because having to use third-party add-ons to make a product more secure is the way a product is complete."

No, using third-party add-ons is a way to gain additional security. Ask PGP or TrueCrypt or, as I mentioned, eWallet, why they exist. As I said, anyone with truly confidential information should use the extra protection such things provide.

Because, from a security standpoint, anything can and will be cracked and broken into. This is just one example of what happens when you don't.

Or to put it another way, ever notice how many doors have TWO locks?

ghmlco

This is not really a huge deal as long as you put the home button on "home, or "iPod."
I personally had it on iPod. So when I tried doing it, it just brought me the iPod menu... and it only allowed me to make one track selection. I tried to do it again after picking a track, and it wouldn't go to my iPod menu anymore.

So it's not so bad. Now the only problem I see there is if you have any music, or video content that you don't want people to know about. Like porn...

HollywoodLeo

This is an interesting find, but I tried it and lo and behold: My music popped up... I suppose I should have realized I needed to read the entire article before thinking it was going to be a problem.
In the meantime, it means I can let friends listen to my music without taking the time to tell them my password.

The Amazing Ant

The defenses here are ridiculous. Password protection is there for a reason, @Omadon. When actually implemented properly, security features like password protection can provide a serious barier to unauthorized access, despite the internet's "magical" properties, to which you refer. Unlike you, the designers at Apple understood that password protection is an important feature for many people, which is why they made sure to include it as an option in the first place. Unfortunately for them, there's a serious hole. I assure you that they'll be taking the issue a lot more seriously than you are.

"Just like a laptop, you can never lock down the iPhone enough that someone couldn't get the info from it."
??? That's a ridiculous thing to say. There are good steps one can take for securing information on a laptop, so that it would be extremely difficult for thieves to access it. Responsible people who need to be concerned about the information contained on their laptops take those steps. Similar principles apply to PDAs or cell phones, if they contain or are used to access sensitive information.

"I am an Apple user and general supporter"
I don't understand this mindset. Naturally, one can be a satisfied user of a line of products, but it's a irrational to feel a sense of personal loyalty to either an inanimate product line or the company that manufactures it. A supporter? What does that even mean? Do you imagine that the company has a particular vision you can get behind? It's a company, nothing more. Be a supporter of causes, people you care about, ideals you think are important. A company you merely buy some consumer electronics from, on the other hand, is a ridiculous thing to be a "supporter" of.

Isildur

@eblingmis: Why would you not put a password on your phone? Laziness?

@TimurY: Yeah! And never, ever, ever let it get stolen from you nor anything else you ever, have ever owned or want to own. Do you live in reality? Things happen beyond our control or knowledge. Getting stolen from can be one of them. Security: it's a good thing.

@Omadon: If you were a sales person, at a vendor's meeting, with your competitors around, and some how, some way a competitor or yours got your phone they could at least see who your clients are, contact them, and under sell you. That would be devastating to your business dealings. Especially if they actually stole your iPhone. This is an example of why laptops get encrypted as well - not just to hide embarrassing things from others.

unspellable

A computer isn't also 'secure on itself without intervention'

not downloading from strange sites for example.

ok, perhaps not 'that bigga issue' you might think, because I cannot login to your computer (without getting the RAM out and getting your encryption from there) but it is a more common issue.

Still there is a simple resolution to it: surf safely.

Same here.

I cannot think of a single thing which is 'secure without intervention'.

Neone

@MadColombian: errr i meant to say that you shouldnt necesarily be able to see their contact info.

MadColombian

@ghmlco: If I am correct, if a company trusts you with top-secret information on your phone, and you lose it... they have remote wipe for that. Isnt that part of the Enterprise Suite?

I do agree... it should be fixed ASAP, but I didnt even notice it until I saw it on here. I have my iPod set as my double click as I barely even use the iPhone to call... (and not just because it drops 50% of my calls anyways)

However, I do somewhat like the feature of being able to quickly call somebody from my lock screen. They should adjust it where you can only select the number you want to call, and not necesarily be able to see the number. If their cell number is under your favorite, more than likely your going to call them there anyways. Thats all this "feature" should of been. a way to quickly call someone without needing to see the number. Thats how the security-flaw should be fixed... instead of the whole feature being axed (in my opinion)

If it wasnt for this "bug" i would set it to show favorites with a double tap. Until its fixed, I will keep set to iPod.

MadColombian

This is definitely a huge issue that yet another piece of apple software on the iphone doesn't work as it should.

But I'm trying to figure out what that feature actually does besides prevent someone from copying down some info really quick while you're not looking? I mean, if they steal (or otherwise have in their possession) your phone, it's not like it's that hard for them to get into it. They could take it home, quickpwn it, and take your info anyway?

I guess if this feature worked properly, it could be a deterrent, but it's not like it could ever work to be the end all of people getting info off your phone if they really wanted it.

pj_rage

This is EXACTLY why Apple isint trusted in the corporate world. You fanboys can rant about how insignificant this is all day long but it IS a big deal to corporat security types. I was looking forward to rolling this out to a VERY LARGE company today but we won't be able to do that now.

pffft!

SnakeFarm

@WinkMe: This could be an historic first: The Disemvoweling of a Double Post. Congrats!

GadgetPlay

I dunno, I see how this is a problem, but I think the headline is a little overblown and sensationalist. "iPhone Bug Renders 'Lock Phone' Worthless" is a lot more accurate, but I guess it doesn't drive the click-thrus.

When I read this headline, I though there had been some sort of massive remote exploit discovered. While this is clearly embarrassing for Apple, it's not exactly the end of the world either (especially with the workaround).

max_k

his whole point is that a monkey can unlock your password protected iBrickOfGold. it doesn't matter *how* it ends up in someone else's hands, just that it's embarrassing how simple it would be for them to unlock access to your phone data. it should be just a tad harder to do than this, no?

spuntyb

As a photographer and photographers assistant, I have worked with people whos contact lists have had the direct numbers for people like Michael Phelps, the deposed Queen of Iran, Dick Cheney, Shaun White, and maybe even the Pope's secretary. If you have ever been to a professional photoshoot, it can get pretty hectic and things WILL get set down out of your immediate line of sight. It happens, it cannot be avoided. You take precations to minimize the damages if the unthinkable occurs. Yes. this is a fatal flaw, if someone can get those numbers quickly, with the phone not leaving his possession for that long.

sqeakytoy of the apocalypse

"I was looking forward to rolling this out to a VERY LARGE company today but we won't be able to do that now."

Right. Guess you'll have to wait a week or two until Apple pushes the update.

ghmlco

In the midst of all the Apple fanboy/anti-Apple fan boy ranting I did have one question: has this security hole been forward to Apple? Because it is 1) a VERY big deal and 2) needs to be fix ASAP.

DinoRubble

@WinkMe: So, let me get this straight...Apple leaves a big gaping hole in their security, and it is my fault because perhaps my iPhone fell out of my pocket while my coat was going through security in the airport and someone else picked it up?
I suppose you've never misplaced something in your life.

Yes, it can be temporarily fixed by setting the home double click to something else. Would I have known that if I didn't read Gizmodo?

Point is, its a security flaw and you jackasses are acting like its a feature.

kwicherbichin

Yup, it works on my phone. Like others it's not a big issue to me but whaddabummer for people who need this feature. I hope Apple gets their shit straight soon. I'm not a fan boy but I'm rootin' for 'em, 'cause this is such a excellent device.

On the other hand maybe someone else will step up to the plate and do it right. Then in 2 years (1 year 11 months really) I'll be able to switch to THAT new gizmo. Android, anyone?

stryder100

@Jesus Diaz: Today I am a proud reader of Gizmodo. I think that the flurry of comments have been the first time I've ever heard an editor just outright say "cut it out". Most of the time you have to be politically correct and stay out of the commenter spats, but this is fanboism at its finest, and mind boggling for someone to try to downplay it. Kudos to you for just calling a spade a spade kind sir.

helfrez

@Isildur: "Unlike you, the designers at Apple understood that password protection is an important feature for many people, which is why they made sure to include it as an option in the first place."

Hahahaha, yeah okay. Because Apple really cares about features that are important to people MMSVideoCopyPaste. More than anything it sounds like it was employed to cover their collective asses.

rcast1986

When I first saw the title, I thought "Holy crap! This is a big deal!"

Then I read the article, and thought "Meh, not such a big deal."

Then, after reading Jesus' responses/defenses/flaming torrent or rage, I realized that it IS a big deal on the grand scale of things.

For ME, this is hardly an issue since I choose not to password protect my phone, so if it got lost or stolen and someone else picked it up they would be able to find whatever they wanted to find. There's nothing on my phone (like schedules, addresses, super personal information aside from phone numbers) that could help someone ruin my credit or destroy my life. Any of THAT information is stored somewhere else -- somewhere more secure.

I'm hardly an Apple fanboy -- I hate Apple, actually. I just happen to like their phone and iPod. I still hate what they stand for as well as the crushing amount of hubris Steve Jobs exudes, and the way he decides to handle his press. I can't stand the "Get a Mac" spots, and hope Justin Long's eyebrows fall off. I can see how this is a huge issue for the phone and for Apple.

But for me...it...just...isn't.

rcast1986

Sorry ... but this doesn't happen on my iPhone. Yes, I have the latest version.

Effero

Good. Maybe this'll expedite 2.1.

imaginaryplaya'

I'm using the 2.0.1 software and the flaw is there. If you want to take it further, when you see your favorites, click on the blue arrow and tap send a text message, then when you see the conversation, double tap again and you will see your favorites BUT this time you'll be able to create a contact or make a call using the analog dialer. Again you can take it further by adding an URL to a contact and open safari or even delete contacts. Apple should fix this asap.

Dennis Raver

This is why I won't use a phone named after Gizmodo editors? Has anyone tried the Frucci-fone? It's crap. Total crap.

OMG! Ponies!

@bmeckel: You jailbroke, and something isn't working 100%? Are you surprised? I think it's pretty good the jailbreak works at 95% or what not, and I'd say not being able to do one or two things (that don't seriously compromise the usability of the phone/ipod) is the cost of doing business.

shockwaver

I just tried this with my iphone - and I have to say, it seems like an oversight. Why do I say that? Well, when the favorites list comes up, it's missing the bottom border - and we all know how much Apple loves their styling. I was thinking "Meh, not a big deal", until I realized how easy it was to access my email, which, while not super top secret, it is still corporate info. This needs to be fixed, and fast.

That being said, in response to other peoples saying that if MS did something like this there would be a bigger outcry, you are probably right. Because MS has a well established history of thinking about security second. They have a pattern of ineptness when it comes to security, and their failing impact hundreds of millions of people. Apple slips up once in a while, so people are less inclined to view it as some horrible thing versus something that will be fixed quickly. (Same with google et. al., they have a culture of security - or at least a perception of one to the masses)

shockwaver

I set my phone to go to the iPod controls when I double click the home button. I think Mr. Diaz is over reacting on this one.

stryderxx

@mobilehavoc: Just shows how stupid the accusations about me (or Giz) being biased in favor of Apple.

When there's something wrong, we call it and we are critical with it. When there's something right, we praise it. It's as simple as that.

In this case, it's a huge mistake.

Jesus Diaz

hmmm...well my iphone REFUSES to let me put a passcode on it, because it thinks it already knows what it is. i was trying to just put 1111, then when i went to change/turn off passcode it would try to ask me for a different passcode, as 1111 didn't work. stupid jailbreak/apple...i'm starting to lose more and more faith

bmeckel

Amazing, Jesus battling with Apple fanboys. Never thought I'd see that.

mobilehavoc

this works on 2.0.1 aswell

bwilliams18

This is not new :-
The JailBreakme.com method used to work on this principle.

Apple already knows about this 'feature' ;)

vinodlive

@Jesus (if that is your real name) - "The problem is that not every iPhone user in the planet will read this article or any other in the Web and take adequate measures."

Erm, how about making sure apple know about it before spreading to thousands of people?? This is the kind of thing you should write after the issue has been fixed, not before.

timp123

If you use the password feature = big deal

If you don't = not a big deal

Once Apple hears about this it will be fixed but for those that think companies will avoid the iPhone because of this I disagree. The Blackberry and RIM have had their share of security problems as well. I won't even go into Microsoft products.

TideGuy

FYI:

It depends on what the double click is set to as to how bad/how annoying the hole is. I have mine set to iPod so if you double click it there it only goes to the ipod, so other than seeing tha tI listen to TWIT, Macbreak Weekly, and Ace of Base the most I'll get is embarassment.

But if you have it set to safari, mail, or favorites like in the video, it lets you get much further.

trekkie

I dont have an iphone but i assume by getting access to the contact details u can add a dummy contact and add url "pref://" which will take you to the settings menu of your iphone and you can do more with...

* jealbreak
* remove the soft lock
* check nude pix of ur GF.. hehe :)
* and more

simranali

I agree that this is a pretty serious issue Apple should take care of in the next 48h

jesus,
Those who are trying to downplay the issue probably got a little offended by the Sun-esque tone of the headline ;)
A more sober "iPhone Security flaw: circumventing the PIN in 3 simple taps" would have done the trick to appease the fanboy community while letting everyone decide for themselves if the security flaw is huge or not

gizmodist

wow first off I'm no apple fan, but I'm sure that apple is taking this a lot more seriously than some of the fanboys in this thread.

second thing, damn. that is a major thing with apple pushing the business side of the iphone. im sure they'll have it fixed in no time, but just goes to show, no device, windows, apple, or otherwise, is truly safe

lol123

On a password protected iphone, tap "emergency call" et then dial a number and you'll be able to call any number you'd like not just 911!

SachaP

@helfrez:

I agree with you 100%. If this had been a Windows operated phone, this would suddenly become a huge problem and Microsoft would have some kind of crisis on their hands. I don't think the "double tap home button" was not intentional, but you should be able to create a small list of emergency contacts where only the phone number is available.

Kbiscu1t

Simple workaround: If you set your iPhone to show the home screen on double click of the home button, it will close the security vulnerability.

MalvinOrion

I just have my double tap set to my ipod as a shortcut, so any theif can only listen to my music - still don't like the idea though

tomnzed

Mine goes to my ipod... no biggie, still kinda lame that they let that slip

Dooosh

@bwilliams18:
yep it works on my 2.0.1 too!

shaffan

A security tip: Never leave your iPhone (or any cellphone) unattended, and don't lose it. Is it so hard?

berbar

"@Jesus (if that is your real name)"

Ohhhh man, my nomination for stupidest/most unintentionally-hilarious statement of 2008.

I picture Micheal Scott on Diversity day: "Mr. Brown, if that's even your real name..."

rcast1986

@mobilehavoc: The whole fanboy issue has become warped. Apparently, anyone who says anything less than derogatory of Apple is now considered a fanboy. Saying anything about Apple - positive or negative - is immediately measured against some descending threshold of fanboyism, with anything short of linking Apple to satan becoming grounds for fanbully dismissal.

Giz shouldn't have to defend any post about Apple as evidence that they are or are not fanboys. They're writers with opinions, not candidates appealing to constituencies. "Fanboy" should be treated as something between "first" and "will it blend."

frigg

To take this one step further, you can actually get all of the contacts by double clicking the home screen a second time from Safari!

That will get you all the contacts, you can dial out, see recent calls and voice mails. Total goatse!

Joseph

For those that had comments along the line of why store secure data on the phone I will comment. I work for a company that provides systems and support for financial institutions. I have my iPhone setup for our enterprise. I have a number of sensitive emails that come to me on a daily basis and this "bug" could be pretty bad for the company and myself if someone were to get to my phone. The comment made of don't leave your phone lying around is true, I always have mine in my pocket unless I am sitting at my desk. The workaround to set the home button to the home screen works so at least there is an easy fix for this.

slowry26

Maybe the better solution is to keep your iPhone where no one will be accessing the private data. Anyone who picks up the phone is just as likely to *steal* the device as send a text to your mother, who's on your favorites.

winter_in_asia

haha, awesome. My 3g 2.0.2 has it.
Tried this with co-worker's iphone with jailbroken 1.1.1 and it doesn't work.

biofreak

So, given that this phone has been a relative technological failure - it offered nothing new except suck 3G, failed applications, bugs, crashes and security flaws - when are you going to stop calling it the JesusPhone?

AllYourBaseAreBelongToUs

I tried and it does work as explained... which sucks big time.
A solution against this is to set the double-press on the Home button to trigger the Home screen or the iPod controls... in which case, when the phone is locked and you tap "emergency call" then double-press the Home button, it simply goes back to the locked screen.

lemoose

Confirmed on 2.0.1 here as well. D'oh!!!!

EnochLight

@eblingmis: I skimmed most of the other responses only, and saw one or two along the same lines, but I'll chime in with:

Who wouldn't password protect their phone? Even if a dedicated hacker could get at your information, chances are if you left your phone laying around someplace, some luddite would find it and a PIN would at least keep the typical Joe out there from seeing your email, phone numbers, etc.

On the other hand, the PIN also keeps anyone who finds your phone from getting access to important things like how to find you if they're honest and want to return the phone to you...

distortedloop

Remote Wipe if you can't find your phone? Pretty sure that covers all the security flaws. Anyways, it'll be fixed soon. Stop making this out to be a huge flaw, just for the attention. I'm sure 60% (or more) of iPhone owners don't even know they can passlock, let alone activate it. Same goes for a lot of other cellphone users. "But it's for the enterprise! Top secret information!!!" Remote Wipe.

JustEaton

Loving the "don't leave your phone unattended" "dont lose it" comments, what the fuck are you robots? we are humans we make mistakes that is our nature also theres people that just have bad luck you know they could get mugged and all, what are you gonna tell them then "well you should of been carrying a gun too."

rodsky

BTW, @ Jesus, thanks for the tip. Given how much info is in the iPhone, this has gotta be important for a lot of people. Apple please fix this STAT!

frigg

I don't know much about the iPhone and its' underlying file structure, but is there a way to add like a cryptainer app that secures, if not all the app binaries/apps' info, at least the app's info? A band-aid at this time, but also future protection against possible hacks, whether the miscreant has direct access to the phone (like this) or any network vulnerabilities show up.

As far as all the "don't lose your phone" comments.... feh!
Sh1t happens. And on the Enterprise level, that seemingly ditzy man/woman you've been trying to get drunk at the trade show could easily 'borrow' your phone (w/o your suspicion or knowledge) for the time necessary to get your sales/supplier contacts.

hypereric

When a security flaw becomes a big deal: When your wife picks up your phone and finds all your emails to your girlfriend (or boyfriend, as the case may be). This flaw will suddenly escalate to a major problem and you will be going after His-Jobness with your torches and pitchforks.

Curves

@ghmlco: What you've just said is one of the most insanely idiotic things I have ever heard. At no point in your rambling, incoherent response were you even close to anything that could be considered a rational thought. Everyone in this room is now dumber for having listened to it. I award you no points, and may God have mercy on your soul.

This "bug" has rendered the iPhone's password protection nearly meaningless. And, while I'm sure this is not a big deal for 16 year olds around the world, it is a big deal for those of us who use their phone for business. I do not know what you do for a living, nor do I care. I also don't care "what Becky was wearing." However, I do care that people in my office could gain access to the confidential information in some of my emails. Period.

bryanoak

This is a big deal to the enterprise side of it... Yes, with a deal of work, I am sure you could get the data off if you really wanted regardless of whether this flaw is fixed... but by that time the enterprise has used their remote wipe capabilities to scrub the device clean...

ijonathan

I would like to see Apple fix this ASAP so that the emergency call button only calls the emergency services line three digit number (ie: 911) instead of allowing someone to call any random number or have access to other areas of the iPhone. Add to this they should update MobileMe to allow remote data wipe of the iPhone similar to what is currently only available to users of Microsoft Exchange.

imagine-engine

I am reading the comments here, becoming more and more astonished by the utter ridiculousness of the arguments people are foisting against Senor Diaz. I call Jesus a spade when he is a spade, by the way, check my commenting history, but this time he got it 100% right.

If you put a passcode on something, that something should become inaccessible to casual prying, or even slightly less than casual. That's what locks are for - to keep out honest people, as my father always asserts.

Yes, if someone wants in, they'll get in. But for someone to pick up a phone - and the argument about "well, don't leave it anywhere" is horsesh1t, and the foisters thereof know it - and out of curiosity or even a desire to be helpful by finding the owner starts pokin' and gain access to the phone's features - that's just a colossal fail.

You should never have to implement any kind of work-around to make a passcode do its job. If this device is to work in a corporate environment, that's a postulate. Defending this is just...indefensible.

ps61318

@jesus: 1. You did Apple and iPhone users a huge service by pointing out this security flaw and coming up with a workaround. It's a major bug and Apple must fix it ASAP. 2. Thanks for taking the high road and not letting the posters bait you into descending to their level.

craighyatt

And excuse the double post but from now on when Jesus posts I won't get the thought of commenters running away shouting God-Diaz!?? in a Japenese accent...

No one dares fight that.

Gizmodo officially Apple neutral.

Till tomorrow.

doobiebros2two

To those who say "It's not a big deal" - Is stealing a 5-cent candy a big deal? Will you detrimentally affect other peoples lives? Of course not. It's the friggin PRINCIPLE of it.

You can't just rationalize away the problem by stating that the consequences are negligible.

nutbastard

Blackberries used to be the same way, make an emergency call then end it and you where at the home screen. It's since been fixed but you can't say Apple is the first.

doobiebros2two

Meanwhile in Cupertino, a man shouting loudly at someone can be heard around the Apple campus. Strangely, people who have heard the ruckus said that it sounded like Steve Jobs.

Noobs-R-Us

@rcast1986
It was totally intentional, don't take it away from me it took me ages to come up with that!

timp123

Honestly, I expected a remote compromise.

Any first-year computer science student ought to know that physical access invalidates pretty much every type of security.

The security flaw isn't in the device, it's in the physical method used to get hold of the device.

Now, if this could unlock and grab all your private data over, say, bluetooth ... that would be worth discussing.

Beryllium

Can't be !!!!

Apple is perfect!...

Does not happen in my Q9h... LOL @ Apple.

aec007

@Omadon:

"Just like a laptop, you can never lock down the iPhone enough that someone couldn't get the info from it."

Can you please explain how that makes this flaw acceptable?

I have a door on my house. It has a lock on it. I'm sure that if someone wanted to pick the lock, they could. And I'm sure that if that No Country For Old Men creeper came by with his cattle killer, he could blow the lock away, too. I'm OK with this. But I wouldn't be OK if after I locked my door, someone could open it just by turning the knob.

generall

Oh sure anyone would complain "Oh it's not a big deal to me because I'm not the type who would leave my phone just anywhere" would least expect this happen to them.

ripfire

Nice, the best part are all of the "no big deal" responses. If this was on a crackberry not only would the fanboys be laughing it up and talking about how awesome the iphone is but fire and brimstone would rain from the drop ceilings of all corporate offices.

Thankfully nobody who actually does anything uses an iphone so its not that big of a deal.

archercc

This is an issue with 2.0.1 as well. Re configure the home button double tap to go to the home screen and you will be fine till apple fixes this. --- Sent from my handheld device

JacindaOeneus

Go into your settings : general : home button » set it to home (not iPhone favorites) and you won't have this problem.

Augustum

Pretty sure this hole will be fixed very very soon.

sos10

Thanks Jesus for bringing this to our attention. I just changed it to the double click to "Home" and I feel a little better. Apple really needs to fix this, as this is a pretty huge deal. I guess if you're not the type to password protect your privacy, then it doesn't matter. But since I do, it matters to me.

Rain-man

But Apple products are so much more secure then Microsoft ones! *cough*

jbiller

Oooh~ iphone technology backstabs again! But seriously, this should get pached before people start freakin' about their info being stolen and looked at, scary, ain't it iphone users? :P

cowpop

Wow, fantastic number of people in this post being intentionally dense.

Onouris

I think if anyone deserves a security break, it's Apple. Macs have been amazingly air-tight for at least a decade when Windows users have been terrified out of their wits when the latest bug starts going around from PC to PC.

Apple has really only been in the mobile device realm for a while since the iPhone came out and there's a whole new can of worms that opens up when you deal with mobile security issues.

Windows Mobile has been on the market for far longer and they still are fraught with security issues too.

I think everybody is learning how to cope with mobile issues still. I think a few free passes need to be extended by us, the consumers.

michaelportent

I had a Motorolla that if when locked you took out and put back in the battery really quickly, it would unlock itself. Locking a cell phone really doesn't work on any platform.

computerwiz3491

@generall: It doesn't make it acceptable. Though I would say that if you really need it that protected why carry it around on the mobile device or ever let it out of your site if it has something that important on it? Again, yes i understand the whole argument of security though, and I agree, so really I suppose we're arguing over nothing.

Omadon

Wow so many attacks on me when i asked a simple question. I was asking nicely to boot. A lot of you know quite a bit about tech, but very little about manners. Next time try taking a deep breath, and then answering calmly. It'll still get your point across, better then yelling, or being all high and mighty. Plus all of you started answering me AFTER I had stated okay I get the point. @Isildur: your post was going well until you said unlike you. I mean come off it man.

Omadon

@rcast1986: Yes, they do indeed "care" about what people want, insofar as they think it'll effect sales significantly. It's not a matter of caring on a compassionate level, it just a matter of what features they thought were most critical in terms of attracting consumers. That doesn't mean they're going to include everything that people want-- they decide on certain features that they (rightly or wrongly) think will be top priorites for consumers, and they work hardest on having those particular features ready in time for the product release. Some others features that they don't consider as critical for attracting the average user get neglected.

Isildur

0000,0001,0002,0003,0004, etc

Someone with spare time and your phone will get it eventually.

Y2KGTP

Locking down iPhones ASAP on the corporate network. Thank god for EA2K7.

tomcod

@Jesus Diaz: after seeing your response i wonder why we even acknowledge people that don't seem to think before they speak.

Paradise

@WinkMe: give me your email address and your password and we'll see if it's a big deal or not.

Paradise

For users of MobileMe, you DO HAVE remote wipe of your contacts, calendar and email; just wipe the information on your MobileMe cloud, change your AppleID password, and then re-populate your data back onto the cloud. If you have your iPhone set to 'Push' down to the iPhone it should wipe your data in just a few minutes.

codemagic

@archercc: Zing! Best in Thread to you, my friend.

ps61318

So in theory this is a worst case scenario.

A corporate iPhone is lost. The finder uses the flaw to gain access to the users inbox. In the deleted items folder he finds an email with his recently reset VPN login and password.

The users corporate network is now vulnerable until their
I.T. department is notified that the device has been lost.
Hopefully they have a strong and efficient lost/stolen asset policy and they can get the device wiped and passwords reset quickly.

tomcod

@helfrez: Haha - couldn't agree more sir!

NagChampa

@michaelportent: Security is security. Even one instance of stolen data could prove disastrous. Nobody deserves any kind of 'pass', no matter how good their past record is.

CarrerCrytharis

Seriously thank you Jesus Diaz BTW for surfacing this issue and posting it prominently on Giz - I don't want my personal data on my new beautiful iPhone 3G to get compromised. Good job!

NagChampa

Would showing gizmodo readers phone numbers and email addresses count as a security flaw, or were they just mockups?

iomatic

@timp123: The majority of the time when individuals sends big companies exploits like this they just ignore it.

If history has show us anything, its that the quickest way to make a corporation get its shit together is by making it as public as possible.

TheLostVikings

@tomcod:
Seems to me you are trying to justify a HUGE security flaw on the iPhone by putting the blame on Corporate America.

Yeah... right, like the crap will fly on the corporate IT departments.

aec007

@wild homes loves you but chooses darkness!: " I'd give out my bank account number before I let anyone know I listen to Ace of Bass. "

Too Late.

ViperBorg

@eblingmis: I do, but it's no an iPhone. :)

ViperBorg

This is definitely a major problem, and I hope it doesn't get anyone in trouble. But I can't remember, as I changed my own ages ago-- does the home double tap default to Favorites? I thought it defaulted to Home, and Favorites had to be selected under Settings, General, Home button.

Either way it's a significant problem.

@trekkie: I'd give out my bank account number before I let anyone know I listen to Ace of Bass.

wild homes loves you but chooses darkness!

er, reining, I mean

Isildur

@Omadon: Yikes, looking back now, I really did go way overboard. I seem to have gotten into a bad habit lately becoming obnoxious on message boards on days that I'm feeling especially stressed by other stuff-- I need to work on reigning that in. I apologize.

Isildur

@alansky: Because they hate Iphone users, and wish bad things will happen to them, obviously.

mikemil828

Can't believe that the morons who are reporting this on Gizmodo and other sites are describing in great detail how to exploit the security flaw. HOW DOES THIS HELP ANYONE EXCEPT POTENTIAL THIEVES???

alansky

No security hole here, nothing to see, moving on.

Sent from YOUR Iphone 3G.

/sarcasm

iSee

@generall: It doesn't make the problem acceptable, it makes it not as huge of a problem as the Blackberry fanboys make it out to be (IMO the blackberry's clunky UI is the best data protection mechanism out there, but I digress), the ultimate form of protection for any mobile device is a remote wipe, which you can achieve through exchange, or through calling up AT&T if you aren't connected to an exchange server. The password protection, like door locks, is mostly useful to keep law abiding citizens out.

mikemil828

EPIC WIN!

Imakeholesinu

"I was looking forward to rolling this out to a VERY LARGE company today but we won't be able to do that now." --SnakeFarm

Why can't you just use the simple workaround until the problem is fixed? According to other reports, the hole can be plugged by going to Settings>General>Home Button and setting the Home button double-tap option to "Home" instead of "Favorites."

alansky

@archercc:

I 100% completely concur.

Derek Devine

Haha, it's also funny how x amount of people knew this and how NOW XXXXXXXXXXXXXXXXXXXXXXXXX amount of people know.

Derek Devine

I like how the most outrageous ignorant apple fans say this is "no big dea" "fix: don't leave your iPhone lying around" "who password protects their phone anyways?" I personally would be REPELLED.

Derek Devine

@Y2KGTP: Good point about only 10,000 possibilities. Not related to this security "hole", but I was thinking along those lines the other day after I changed my PIN (I noticed a "friend" watching me closely as I typed mine), and I worried about forgetting it and how hard it would be to just brute force attack it that way.

The iPhone does have a bad PIN entry timed out blocking mechanism (5 wrong attempts) gets you locked out for ONE whole minute), so, 10,000 possible codes, divided by 5 attempts per minute, divided by 60 minutes per hour means in the worst case scenario, a determined brute force hacker could get in in 33 hours and 20 minutes.

If I wanted to crack into a found iPhone, I think I would just try the new QuickPwn tool. I don't think being PIN locked would protect your phone from that. Once jailbroken with SSH and root access installed, the entire file system, including contacts, calendar, phone history, SMS, email, EVERYTHING is easy pickings.

As others have pointed out - PHYSICAL ACCESS to a device means pretty much anyone with a bit of knowledge and determination will get what they're after. This really does make remote wipe a necessary feature, corporate or not.

distortedloop

@codemagic: re: MobileMe poor-man's remote wipe.

INGENIOUS!

Thanks for the tip.

distortedloop

lol where are all the fanboys who go on about a lack of viruses.....i.e. WinkMe

Sixxtwo

@helfrez: AHAHAHAHAHAHAHAHA No intent to bring politics into the foray, but the same crap with political parties (more so from one in particular than any other).

ugar

Blackberry: 10 wrong password entry attempts wipes the device. Emergency call feature only dials 911, no navigating after confirming emergency call desired. No battery pull exploit. Remote software lets me see where my phone is if it's lost or stolen via gps location and map. Not hating on the iPhone (though I've used it and wasn't in love), just some suggestions for how to do it right.

BTW, isn't the real security flaw that Mr. Villalba's info is displayed in the video? (heheheheh)

Synik103

Here's another security flaw I discovered on the iPhone and reported to Apple:

[www.matterofpark.com]

dypark

Alot of the people on here is complete noodle brains okay so lets comment on the fact that people expect you to keep your cellphone glued to your hip. so when your home at your house you carry your cell phone around with you. do none of you men out there not have nosey girl friends or wives what if they get in there and see those text messages or numbers from your girlfriend?? you guys can be serious i dont use a password but this is a function that is in just about every phone on the market how can you accuse that apparently its important other wise why would it be available.

and for you people who dont think its a big deal dont freaking respond just because you are a nobody and does not have personal info on your phone does not mean others are too. remember when paris hilton phone got so called hacked it was all over the news.
i understand that the person has to have physical contact with the device but is that impossible think about the days you have is it impossible some body can pick your phone up for a few minutes and read the info.

bottom line is that no matter how many phone apple made they're a company and for them to F#$%* this bad on a phone is not ok if any other company did this they would hear it. the iphone 3g is starting to turn into a moto razr.

you guys are complete losers for ignoring the issues with your device i dont care what company made it if they say that it is suppose to perform a certain way and it doesnt they need to fix it and fix it fast and a apology would be nice too they did not even apologise so why are yall so loyal doesnt that mean they can care less about yall tools.

charger08

Once again...... You can avoid any potential breach doing the following:

1. In the iPhone home, go to Settings.
2. Click on General.
3. Click on Home Button.
4. Click on either "Home" or "iPod".

paja

@tomnzed: If you can do it, then set your double tap to a picture of your balls or something. That'll confuse 'em! After that, tracking your phone will be as simple as locating the voice of the person going, "what the FUCK?!"

PlayerX

and apple says that their products are flawless, yea right :)

tartooob

Sorry, but this is a non-issue people. Just like ANY computer (and that's what an iPhone is), once someone nefarious has physical access to the machine, all bets are off.

Should it be a LITTLE harder to circumvent the password? Probably. But honestly, if your secrets are that important, maybe storing them on a machine that can be pick-pocketed by any mid-level street urchin is not the best choice.

GroovyBrent

This is no more of a "huge" security flaw than me spending $10 and 5 minutes looking up your mother's maiden name, and then getting access to your gmail account.

P.S. Don't use your mother's maiden as a password question.
P.P.S. Don't take advantage of the iPhone's success to try and scare people into thinking you're onto something. This is childish.

JustEaton

Unfortunate, and they should fix this (quickly) but come on now... if the bad guys have physical access, they own your data. Period. To assume anything else is foolish.

Unseelie23

@dypark: I guess I'm not fully understanding your point in your blog post that you linked.

If a thief steals the phone and is able to change the length of time that the AutoLock is set for from 1 hour to 4 hours, couldn't they just as easily set it to NO AutoLock?

Could you explain the flaw a little more clearly, or perhaps do the YouTube demonstration of it thing?

distortedloop

@archercc: Just so you know, Blackberries had a similar issue and obviously no one ever knew as it was never published nor did anyone have a problem worth us knowing about or it being published. Which sorta makes this iPhone issue not a big deal. And your comment not so true.

doobiebros2two

Way to fail apple. Keep up the work.

cskelldog

This just removed any desire to buy an iPhone now. I think I'd rather just get a very basic cell phone that people are not going to bother trying to hack the passcode to.

theblackdog

This is a huge issue for enterprise and corporate users. One thing about posting the flaw (so that anyone can exploit it): It gives a sense of urgency to those who care and who need to make sure information about the workaround gets out. Thanks Jesus Diaz to doing just that.
If you believe that SOX only keep your feet warm, then you might not understand, and that is OK.
A corporate cell phone with email that can be read by anyone (especially at trade shows where one can often find the competition) will lead to lawsuits and ruined careers. Seriously. This had better get fixed quick!

thejman66

Imagine if it only took 3 buttons to bypass the password lock on WinXP, or Vista's login screen.

This really hurts Apple's credibility as an "Enterprise-ready" provider.

tommyk421

This is HUGE for the enterprises who are looking to insert Iphone into existing mobile infrastructure. Unfortunately, I am one of them. Imagine you are ready to buy thousands of Iphone to replace Blackberry, Palm and other PDA devices because of Iphone's superb design and then you found out that enterprise information (critical, non-critical, private or non-private) could be leaked into the wrong hands. Of course it is huge, folks. Now i have to think twice before making decision solely based on Apple's security consciousness.

Entprize

From an enterprise standpoint this is huge. Depending on the type of business you have, there are rules that have to be followed to ensure nondisclosure, privacy and protection of customer and financial data. Some of these rules specifically cover email and how it is handled. I have a rollout of about 200 of these phones in my organization. We use the policy settings to enforce a lock pass code. This breach is an absolutely hideous problem as there is no way to enforce a fix.

Chew on this for a few minutes. Apple doesn't have a way to enforce update rollouts. This means when they do provide a fix for this, the best I can do is send a mail to everyone asking them to patch. I can't enforce it, or even determine who has done it and who hasn't in order to follow up and encourage them to patch. Apple also hasn't provided us with a way to enforce settings changes on the phones via policy beyond a very small subset so we can't enforce the setting of the home button either, nor see whether people have deployed the workaround.

SOX compliance IT control objectives call for access controls for email that prevent interception and disclosure of confidential email. This easily qualifies as a known security risk for unauthorized disclosure. If I were a financial services company, I would pretty much be obligated to wipe these phones and deny access with them to corporate mail until the fix is released. As it is at the very least I should probably be freezing access to mail to force them to come to IT and have the workaround applied, then do it again when the patch comes out. That's going to be a popular decision.

At any rate, these things are not truly "enterprise ready" until it is possible to enforce patch compliance for security issues exactly like this one. Even being able to see the version of the firmware on the phones via the Active sync connection like you can with any other flavor of device (blackberry, windows mobile, etc) would be useful to help to enforce patch compliance. This whole thing makes me extra sad because as you can see by the fact that we have deployed 200 of these, I pretty much drank the koolaid and now it's going to cost me a ton of time.

phydeaux44

This vulnerability highlights a fundamental and distinct deficiency in the iPhone itself - lack of encryption. Users should expect their data to be protected and enterprises and business-oriented consumers will be hesitant to adopt widespread deployment of the iPhone without encryption. There is actually a product available that addresses this very vulnerability, it is called ContactCrypt, which encrypts the iPhone Contact info and does not expose associated URL's and e-mail addresses that can provide access to other portions of the device. If you're interested in protect