A bug in iOS 5.0.1 can let a rogue person, in possession of your passcode protected iPhone 4 or iPhone 4S with voice dialing deactivated, make FaceTime calls and view certain fields of your contacts from the lock screen.
The hack, which was discovered by
Canadian tech writer Ade Barkah, exploits the Emergency Dialer
accessible via the lockscreen to accomplish this task.
You could reproduce this bug on your passcode protected iPhone with voice dialing disabled following these steps:
- "Slide to unlock" on the lockscreen, and instead of entering the passcode, hit the "Emergency Call" button to get the emergency dialer.
- Now long press the home button to bring up Voice Control and try to FaceTime with any of your contacts.
- The call goes through, and you'll be able to FaceTime with a person from your locked phone.
Even if a person in your contact list doesn't have FaceTime set up, you can see the contact's image on the screen.
Although the same process could be
replicated for voice calling a person, the voice call doesn't actually
go through, but it could be used to reveal other information as
explained below.
The loophole could be used to see
certain details of a contact by a hit and trial method. For instance,
you have two entries for a contact named "Bob," and you tell Voice
Control to "Call Bob," it would present the full names of both Bobs.
Similarly if a contact has two phone numbers, with one of the phone
numbers filed under a custom field, Voice Control would present both
these fields (not the number), which could potentially leak private
information.
This isn't a very serious flaw, though.
For starters the phone would need to be connected to a Wi-Fi network. If
it is, the person in possession of your phone would need to have some
knowledge of your address book. And since the problem is only with Voice
Control and not Siri, majority of iPhone 4S users won't be affected.
(Only when Siri is disabled, does Voice Control show up.)
It is a bug nonetheless, and Apple would most likely fix this in the upcoming iOS 5.1 update.
Ade has, in the past, discovered similar bugs which make information that should ideally be private, accessible via the lock screen.
Does this sound like a security threat to you?
0 Comment
Post a Comment