I always get a bit antsy about
hacking researching vulnerabilities when I travel, and this time is no exception. Often I notice “glitches” or abnormalities which I want to investigate, but since I’m in the middle of riding my motorcycle from Canada to Argentina, infosec has been on the back burner.
Recently I took advantage of great wi-fi in Costa Rica to finally upgrade my iPhone 4 to iOS 5. Double-clicking the home button now allows one to quickly access the Camera app even from a locked phone:
Since the camera is locked, Camera app has a smart feature barring access to the iPhone’s album. You can only see pictures taken from the current (locked) session.
As an aside, I thought I noticed a glitch whereby I could completely bypass the passcode lock, but turns out it’s just poor UI from Apple. (There’s a state where the phone is locked but a passcode is not yet required, and the UI during this period can be misleading.) I changed the passcode setting to “immediate” after that.
While researching the above “glitch”, I was intrigued at how the Camera app’s album manager was able to segregate your “protected” images vs. the ones from the current session. It’s like a “jail” for images. I wondered if I could break out of this image jail.
Turns out Apple’s restriction is just a simple filter based on the timestamp when the Camera app was invoked. You’re allowed to see all images with a timestamp greater than this invocation time. Yet that leads to an immediate hole: if your iPhone’s clock ever rolls back, then all images with timestamps newer than your iPhone’s clock will be viewable from your locked phone.
But time always moves forward, right? Why would your phone’s clock ever roll backwards?
- It could be due to user error. E.g., maybe while traveling across timezones you accidentally set the iPhone’s date or time incorrectly (rather than simply resetting the timezone). If you set the clock ahead of what it’s supposed to be, then this vulnerability will appear when you reset to the correct time. If you accidentally set the clock to the past, then your images will immediately become unprotected.
- It could be an iPhone glitch. E.g., a software or hardware issue could reset your iPhone’s clock to epoch time — iPhone’s “zero” time at midnight January 1, 2001. In this case all your images are exposed.
- It could be an infrastructure error. E.g., if you automatically sync from a erroneous external time source (cell phone company, etc.)
I don’t think normal (non-Apple) apps can change the iPhone’s clock, but if it can then that could be another possible source of rollback.
This vulnerability is simple to test. Just set your iPhone’s clock to a time in the past (say, in 2010). Then access the Camera while your phone is still locked. Lo-and-behold, you’ll be able to see all your “protected” images.
The point to all this is that Apple should not rely on a simple timestamp to restrict image access. Changing the iPhone’s clock — forwards or backwards — should not affect its security. We can’t guarantee the clock will always monotonically more forward, and when it doesn’t, the system should fail-secure.
In the big picture, if real “bad guys” have physical access to your phone, then the game is over already. However, as I wrote previously, defense-in-depth is a basic concept which should always be applied.
In various occasions I’ve advised clients to secure their time servers, etc., in the context of esoteric cryptographic attacks, audit logging, and other protocols which depend on accurate timekeeping. I’m a bit amused that the iPhone is vulnerable to a simple time change.