20080829

Favorites Scmavorites

Okay, a hundred sites have posted information on the iPhone exploit where you can bypass the security code required to unlock the phone. I don't think as I was playing with it last night that I discovered anything that nobody else has discovered. But I'll give a run-down of all the nifty things I was able to do with it once I got to the favorites screen:

  • If a single favorite has a URL, you can tap that and get Safari - the full shebang, so go to a jailbreak site. Game over. I think the security code is stored on the SIM, however, so this wouldn't necessarily bypass that - but since the phone is jailbroken, you should be able to run a telnet or ssh service in the background (good luck following that IP address for long, though).
  • If the favorite has a physical address, tap that to get to maps. More on that later
  • From Maps, put in the name of a company you know has a website. When the pin comes up for it, follow the link - back in Safari. Game over - as above.
  • From Maps, you can also see the home address of every contact on the phone. Or overwrite the contact information for every contact on the phone.
  • If a Favorite has an email address, you can tap the email addy to get to a Mail compose window. Cancel the message, and you have *full* mail access. Also, if there are links...
  • Hit Text Message and you go to the SMS composer window. Cancel that SMS message, and you can read all their previous SMS messages.
  • If the victim's Home button is configured to go to iPod, then you get full iPod controls.

Now, before you think I've gone all gloom and doom on you, I haven't. That's a very targeted attack against a single person. The most common way this would happen would be as a social engineering attack. I often get asked if somebody can use my phone because their ride hasn't shown up at the bus stop yet. The Emergency Call feature is what that's for - press Emergency Call and tap the numbers you need, but you don't get access to all the other junk. So this is a one person at a time sort of attack. This isn't some freaky remote exploit (not that it couldn't be).

There are a couple of things I haven't experimented with on this. First, I've only got one iPhone and not a budget for doing research on the iPhone, so jailbreaking it while it was locked could brick my phone at my own personal expense. If somebody else wants to hit a jailbreak site with a "locked" phone, be my guest. Second, some websites are able to open Maps from Safari - this works just like opening Youtube. Can you also open Stocks? Notes? Arbitrary other app on the phone?

And of course, Apple will probably have this fixed in the next rev of firmware (putting off copy/paste yet again). And until that time, you can either make new favorites with just phone numbers, or you can remove all your favorites, or you can change the home button behavior to go to the home screen instead of favorites. Or you can avoid getting your iPhone into the hands of strangers.

0 comments: