A new technique has been unveiled to bypass the four-digit password lock on the iPhone, exploiting a vulnerability in an important security mechanism for data protection on the device.
YouTube user videodebarraquito demonstrated a hacking technique to get around a user's security code to make a call, access voicemail, view or modify contacts or browse photos. The business logic flaw was demonstrated in a video posted Jan. 31 on YouTube. The hacking technique was demonstrated on an iPhone 5 device running iOS 6.1, 6.0.2 and 6.0.1.
The YouTube user said the bypass could be used to "prank your friends" and urged viewers not to use the technique in an attack.
"Easy trick that allows bypass an iPhone's passcode and get full access (see and edit) to contacts list, list of recent calls, favorite contacts, and even make a call to any phone number on the hacked device and erase the log," YouTube user videosdebarraquito wrote in the video description demonstrating the flaw. "Please do not use this trick to do evil."
The video has been viewed nearly 24,000 times. After using the bypass technique, the user is presented with the emergency call capability available on locked iPhones. After pushing down the power button and tapping cancel, a few more steps will prompt the slider to turn the phone off, but tapping the emergency call button and then pressing the power button and home buttons will enable access to the device.
Apple did not respond to a request for comment. The Cupertino, Calif.-based company has been guarded about discussing how it addresses security issues with its products. Dallas De Atley, Apple's manager of platform security, presented at the 2012 Black Hat conference in Las Vegas, which marked the first time that the software maker has ever spoken publicly about its products' security architectures and engineering processes.
Apple products have been a favorite focus of white-hat security experts. Security researchers Charlie Miller and Dino Dai Zovi have written about Apple internals and the iOS architecture. Apple banned Miller from obtaining early builds of iOS 6 in 2011, following a proof-of-concept demonstration in which he ran malicious code on an iPhone.
It is not the first time that a passcode bypass has been demonstrated on the device. Previous attack techniques bypassed security codes by pressing a combination of phone and camera functions.
In 2010, a similar iPhone passcode bypass technique was demonstrated on iPhones running iOS 4.1. In that hack, users were prompted to hit send and the iPhone's sleep button in rapid succession to gain full access to the device.
PUBLISHED FEB. 15, 2013