iOS 5 Security Issue: Making Calls Without Entering Passcode [Update: Siri Bypasses Passcode For almost Any Purpose] - MACNOTES.NET - iPhone, iPad and Mac News from Germany!
News: 16. Oktober 2011,

iOS 5 Security Issue: Making Calls Without Entering Passcode [Update: Siri Bypasses Passcode For almost Any Purpose]

iOS 5Last week, Apple released iOS 5 for iPhone 3GS and 4. iPhone 4S is available since friday. All those smartphones have one thing in common: They share a security treat which allows you to call back any person without knowing the passcode.

(Original Story) There’s a security issue in iOS 5 on the iPhone. All you need is an iPhone 3GS, 4, or 4S running at iOS 5 and a Passcode enabled. This Passcode should prevent an unauthorized person from doing anything which could harm data or cost money. However, answering calls is enabled without entering this code, but because of a security flaw, you’re able to call back, without the Passcode.


iOS 5 introduces the new notification system which tells you right on the lock screen what you’ve missed. Here’s right where the problem is: Apple implemented a “slide to call” feature which allows you to call back any missed call on your lock screen.

If you want to reproduce the problem, you need to set a Passcode. Go from the home screen to Settings, General, Passcode. Put your iPhone to sleep and wake it up if you want to check if there’s nothing else. However, this works even if there are other notifications (like a calendar event).

Now take a second phone and call your iPhone. Let it ring once and hang up. You’ll see a new notification on your iPhone about a missed call. The possibility to call back just comes in handy, just slide the icon to the right side and you’re good to go. Your iPhone will NOT ask you for the Passcode.

Well, that’s not really intented as the following features show:

  • You cannot use other functions like Messages without entering the Passcode
  • Not even the new quick-camera let’s you review older images. Just taking new photos is allowed

Even Apple itself shows off that this behavoir isn’t intended. Press the Home button while your iPhone dials the number and you’re at the “standard” lock screen. The only difference is the name of your contact (or the number) where date and time usually are. If your recepient denies the call, you’ll receive the message “User Busy”. The “slide to unlock” control will turn into a “slide to call back” control. Doing so WILL ask you for your Passcode.

Your best case is that the call will simply cost your money. A little worse is when you can pretend you’re the owner of the phone. But it’s also possible to turn your iPhone into a bug this way: It will send everything the original owner says to another phone until the owner gets notice of that, the battery runs low, or the call will be dropped for another reason. However, it’s even possible that the attacker spoofs his number for a premium-rate phone number (1-900-xxx) – and the Passcode will not prevent to call back.
In fact, without a set Passcode at all, it’s even easier to do the same and even more, but it’s not the common sense of the Passcode to enable people to cause costs to the owner without knowing the Passcode.

Credits go to our German reader David who informed us about this situation.

Update: Even worse is the fact, that Siri does almost never ask for a passcode. You can have contact information read, write e-mails and even call any number just by dictating. The only time Siri asked for the passcode was when we tried to have the last e-mail displayed. At least you’re able to disable Siri at all as long as the Passcode is active.


Zuletzt kommentiert

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>


Currently you have JavaScript disabled. In order to post comments, please make sure JavaScript and Cookies are enabled, and reload the page. Click here for instructions on how to enable JavaScript in your browser.