The latest iPhone embarrassment is a security  hole that makes it simple to access stored data on supposedly locked iPhones. Apple said Thursday that a software patch to solve the problem is in the works.
An unauthorized user can exploit the security hole simply by double-pressing the button to make an emergency call. That behavior brings up the owner's preferred contacts and clicking on a number provides full access to the phone's features. Clicking on an e-mail provides access to all e-mail. And clicking on a contact name provides full access to all contacts data.
Apple spokesperson Jennifer Bowcock said, "The minor iPhone security issue which surfaced this week is fixed in a software update which will be released in September."
There is a simple workaround, Bowcock said: iPhone owners can simply change the settings so double-clicking the emergency button returns a user to the home screen, which will present a password login field if password protection is turned on.
'Design Deficiency'
While an attacker must be in physical possession of the iPhone to exploit the security bug, it "highlights a fundamental design deficiency with the iPhone," said Andrew Storms, director of security operations with nCircle Network Security.
"Despite Steve Jobs from day one saying the iPhone was secure , functionality and aesthetics of the device seem to always win out over security," Storms said. A case in point, Storms said, "Apple quickly released updates to fix 3G connectivity issues this year, but consistently takes many months to release security updates."
This particular security hole -- a simple bypass of access restrictions -- was created by Apple's preference for functionality over security, he added. "Even when a user chooses to physically secure the device with a four-digit passcode, Apple has chosen to still permit the user to use some functionality," Storms said. "By selecting to perform an emergency call, the user can then gain access to other options, which eventually leads them to near-full access on the phone --never having had to enter that passcode."
Open Door for Espionage
While this security hole will not allow remote hacking into the device, executives carrying iPhones with sensitive information in e-mail or the contacts list could easily find their information compromised. In May, U.S. Commerce Department officials left a laptop unattended during a visit to China and discovered that their hosts had copied the contents of the hard drive and used the information to attempt to hack into U.S. government systems.
In April, a Mexican press official was arrested after nabbing several BlackBerries left outside a hotel meeting room by White House staffers.
Stories like that underscore the security dangers of a device that makes false security promises. "Enterprises need to maintain their vigilance with Apple," Storms said. "This is an exceptionable security flaw that is not an acceptable risk for many enterprises and consumers alike."
"Until Apple begins to publicly address these fundamental design, development and process issues, enterprises will remain skeptical of the iPhone being an acceptable mobile device," Storms said.
|
