• Home
  • About

peekay

random stuff about software, infrastructure, security, etc

Feeds:
Posts
Comments
« Incorrect time setting could leak iOS 5 album pictures
OpenCV OSX Python 3 bindings »

More fun with a locked iPhone 4

February 5, 2012 by Ade

Perusing the private address book and making live video calls — all from a locked iPhone 4.

Last time we explored how an incorrect time setting could expose your pictures on a locked iPhone.  Today we’ll have a bit more fun.

Often when doing security work, you’re happy if you manage to leak just a single bit (yes, one binary digit) of encrypted material.  That one bit could be the tip of the iceberg, so to speak, which might lead to more secrets underneath.

Lets see how many bits of personal information we can gather from a locked, passcode-protected iPhone 4, without jailbreaking or using any special tools?

Below is a screenshot of my iPhone’s lock setup screen.  The settings are rather conservative: a long passcode is required immediately; and Voice Dial is DISABLED (when the screen is locked).

Passcode Lock setup screen

Note: I’m using an iPhone 4 (not 4s) with vanilla iOS 5.0.1 (the latest at this time).  I do not have Siri on this phone.

When the iPhone 3GS first came out, many were surprised that Voice Dial was enabled by default on their locked iPhones (and similarly, with Siri on the 4s).  So for our exercise today, we made sure Voice Dial is turned off.

Voice dialing is accessed by long-pressing the phone’s home button.  Again I’ve disabled voice dialing, but a fine print on the setup screen above notes that “iPod Voice Control is always enabled” so it can still be used to play songs, etc.

Can we trick this restricted Voice Control to leak some private info, and perhaps trick it to make calls for us?  (Yes, we can!)

First let’s see how the Voice Dial restriction works.  I lock my phone, then long-press the home button until Voice Control appears.  I command it, “call <Alice>”.  The phone responds with “Voice Dialing is disabled“.   As it should.  All good, right?

Voice Control screen

Now “slide to unlock” but instead of entering the passcode, hit the “Emergency Call” button (bottom-left).  We get this special emergency call screen:

Emergency Call screen

With this screen showing, I again bring up Voice Control, and repeat, “call <Alice>”.  This time the phone responds with “No match found“.  Hmm, different!!

Actually, that response in itself, my friends, is already a leak.  Voice Control reveals that I don’t have a contact named “Alice” in my Contacts.  One leaked privacy bit.

Just to test, let’s try with someone who’s actually in my address book, my friend Wayland.  I bring up Voice Control again from the Emergency Call screen and say “call <Wayland>”.

(Locked) Voice Control calling Wayland

Wow, it tries to dial out!  Although the call fails to actually connect, the screen reveals Wayland’s full name and that I have his mobile number.  Not a huge deal, but more leaked bits!

At this point, it’s easy for anyone to enumerate through the Contacts by simply trying common first names like Adam, Bob, Charles, etc.  Let’s see how far we can go.

Here’s an example when I say, “call <Lisa>”:

Multiple matches shown for the name Lisa

Voice Control leaks that I have two Lisas in my contact list, one Lisa Atkins and one Lisa Klein**.  Repeating with “call <Lisa Klein>” yields further information:

Multiple numbers listed for Lisa Klein

Now Voice Control leaks that I have two numbers for Lisa Klein: her “mobile” and another number at the “love shack“.  Had this been my jealous girlfriend probing my locked phone, I would’ve been totally busted!

Remember, we’re getting all this info from a locked phone with Voice Dial explicitly disabled.

So far we’ve only enumerated through the Contacts.  Can we actually complete a call from the locked phone?  With FaceTime, the answer is yes!

Again starting from the Emergency Call screen, this time I say, “FaceTime <Lisa Klein>”.  And Voice Control dutifully connects, to the love shack, with full two-way video live streaming.  Yikes!  Not what I’d expect from my locked phone!

Lisa please don’t answer…

During testing, the FaceTime calls from my locked iPhone successfully connected and I was able to see + converse with the other party.  The test calls disconnected after a few minutes, but those disconnections might be due to the spotty internet service here at my hotel in Medellín, Colombia.

Bottom line:  We’re able to trick Voice Control to enumerate through the private address book and make live FaceTime video calls on a locked iPhone 4, even with Voice Dial specifically disabled in the settings.

**Some names faked to protect the innocent.

Special thanks to Wayland Chan for helping me test FaceTime.

p.s. I have not tested this issue on the iPhone 3GS, which has Voice Control but lacks FaceTime.

UPDATE: Feb 8, 2012:  While the iPhone attempts to connect the FaceTime call, it will show the contact’s profile picture if any.  So a stranger using your iPhone could possibly see pictures of your contacts even if they do not have FaceTime enabled.

UPDATE: Feb 9, 2012: CNET also tested the bug on the iPhone 3GS and the iPhone 4S.

Advertisement

Share this:

  • Twitter
  • Facebook

Like this:

Like Loading...

Related

Posted in iPhone, security | 16 Comments

16 Responses

  1. on February 9, 2012 at 12:34 pm Un Bug di iOS 5.0.1 permette a chiunque di effettuare chiamate FaceTime e spiare i contatti.

    […] blogger ha scoperto una falla nel nuovo sistema di sicurezza Apple nel recente aggiornamento di iOS, cioè iOS 5.0.1. […]


  2. on February 9, 2012 at 1:28 pm Exploit geeft toegang tot Facetime op iPhone met codeslot - iPhone - iPhoneclub.nl

    […] mogelijk om met een door een codeslot afgesloten iPhone een Facetime-gesprek te voeren. Dit ontdekte de Canadese blogger Ade Barkah. Door de stembediening van de iPhone te activeren op het […]


  3. on February 9, 2012 at 1:29 pm Un grave bug di iOS 5.0.1 permette di avviare chiamate FaceTime anche con impostazioni di sicurezza attivate sull’iPhone - iPhone Italia – Il blog italiano sull'Apple iPhone 4S, iPhone 4 e 3GS

    […] scoperta è stata fatta dal blogger canadese Ade Barkah, e si riferisce ad un bug nella sicurezza presente in iOS 5.0.1, l’ultimo aggiornamento […]


  4. on February 9, 2012 at 2:15 pm Un bug di iOS 5.0.1 mette in pericolo la nostra privacy! - iSpazio – IL Blog Italiano per le Notizie sull'iPhone e sull'iPod Touch di Apple con recensioni di Applicazioni e Giochi App Store e Guide al Jailbreak

    […] blogger canadese Ade Barkah ha scoperto una nuova falla nell’ultima relase del sistema operativo mobile di Cupertino che consente di […]


  5. on February 9, 2012 at 2:38 pm A serious bug in i5.0.1 initiate FaceTime Calls even with security settings enabled on the iPhone

    […] discovery was made ​​by Canadian blogger Ade Barkah , and refers to a security bug found in iOS 5.0.1, the latest update released to the public for […]


  6. on February 9, 2012 at 3:49 pm Security Bug In iOS 5.0.1 Allows Anyone To Access Address Book Even If Protected By A Passcode | Redmond Pie

    […] headlines for a few days before it dies out, infrastructure research and security blog, Peekay, has released some timely information about how users can bypass security measures on an iPhone 4S, 4 and 3GS, […]


  7. on February 9, 2012 at 4:00 pm iOS 5.0.1: un bug consente a chiunque di effettuare chiamate FaceTime | BiteYourApple

    […] falla è stata trovata dal Blogger Barkah su iPhone 4 nonostante abbia attivato i sistemi di sicurezza. Il bug consente a chiunque di […]


  8. on February 9, 2012 at 4:05 pm iPhone Facetime Bug Shows Names On Locked Phones, Even With Security Settings | GizmoCrazed

    […] s1); })(); Share TweetSave on Delicious Earlier this week Canadian tech writer and consultant Ade Barkah stumbled upon a shocking security loophole present in the iOS 5.0.1, Apple’s latest operating […]


  9. on February 9, 2012 at 5:01 pm Un bug d’iOS 5.0.1 permet de lancer un appel FaceTime et aux carnet d’adresses « eMxPi's Blog

    […] Source […]


  10. on February 9, 2012 at 7:24 pm iOS 5.0.1 Bug Allows Anyone To Access Contacts And Make Calls Even If Protected By A Passcode - Jailbreak 5.0.1 - 5.1 CydiaHelp

    […] */ google_ad_slot = "7178073568"; google_ad_width = 336; google_ad_height = 280; Canadian tech blogger Ade Barkah has discovered a new security loophole in iOS 5.0.1 that make easy to anyone to make call out even […]


  11. on February 9, 2012 at 7:33 pm Fout in iOS laat je bellen met vergrendelde iPhone - iPhone 4s - iPhoned.nl

    […] iOS is het mogelijk om in het adresboek van een vergrendelde iPhone te kijken. De Canadese blogger Ade Barkah plaatste een artikel op zijn weblog nadat hij hierachter kwam. Als een iPhone vergrendeld is heb je […]


  12. on February 10, 2012 at 6:33 am iOS 5.0.1 Flaw Discloses Your Address Book Buddies | GiveHaxTo.Us – Find All free hax and media for any device only here! All Media Here!

    […] “Had this been my jealous girlfriend probing my locked phone, I would’ve been totally busted!” he writes. […]


  13. on February 10, 2012 at 2:49 pm Facetime security issue from lock screen « FaceTime Video Calls : Information, Tips & Help

    […] locked iPhone. If you’re the paranoid type, you’ll want to check this out: https://peekay.org/2012/02/05/more-fun-with-locked-iphone-4/. Today, 7:49 am No […]


  14. on February 10, 2012 at 6:09 pm MacDroid » Bug no iOS 5.0.1 possibilita realização de chamadas do FaceTime pela tela de ligações de emergência do iPhone | MacDroid

    […] há pouco mais de um mês descobriu um bug no sistema de visualização de fotos do iPhone. Agora, ele está de volta com um relacionado com chamadas de […]


  15. on February 10, 2012 at 11:05 pm iOS 5.0.1 Threatened by a Bug That Grants Anyone To Make Calls Regardless of Any Passcode Enabled

    […] 5.1 is such a riddle right now for i-Users, but what if you knew that a recently discovered bug, by Ade Barkah – a Canadian tech blogger, threatens iOS 5.1 to the extent that Apple might announce the release […]


  16. on February 21, 2012 at 8:06 am Error de seguridad en iOS 5 permite acceder a contactos y hacer llamadas

    […] no mucho también se encontró un error parecido que permitía que llamasemos, en este caso desde Facetime, accediendo gracias al Control por Voz […]



Comments are closed.

  • Archives

    • March 2016 (1)
    • February 2012 (1)
    • December 2011 (1)
    • November 2009 (2)
    • March 2009 (4)
    • September 2008 (3)
  • Categories

    • iPhone (3)
    • java (1)
    • security (9)
    • Uncategorized (4)
  • Pages

    • About

Create a free website or blog at WordPress.com.

WPThemes.


Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy
  • Follow Following
    • peekay
    • Already have a WordPress.com account? Log in now.
    • peekay
    • Customize
    • Follow Following
    • Sign up
    • Log in
    • Copy shortlink
    • Report this content
    • View post in Reader
    • Manage subscriptions
    • Collapse this bar
 

Loading Comments...
 

    %d bloggers like this: