Confirmed: iOS 6.1.3 Has Another Passcode Security Flaw [Update]
iOS 6.1.3 was pushed out just the other day to fix two lockscreen flaws discovered in iOS 6.1. The good news is that the software update is indeed a fix for earlier bugs, but iOS 6.1.3 remains vulnerable to another passcode lock flaw that involves using Voice dial on the iPhone 4.
YouTube user videosdebarraquito (via iPhoneclub.nl) has posted a video, which you can see below. After being a bit skeptical about the video, since it doesn’t show whether the iPhone is running iOS 6.1.3 or an earlier version, I’ve decided to test it on my iPhone 4 running iOS 6.1.3. We can confirm that the security flaw is indeed present, and that it allows the “intruder” to access your address book and browse the pictures on your device.
The hack involves Voice dial on iPhone 4, as it enables a call to be placed, even if the passcode lock is on. Here is how it works:
- I used Voice control to dial a number (the video shows calling 123, but we think it is possible with any number, as long as the phone dials that number).
- as soon as the dialing xxx message appeared, ejected the SIM card
- the call ended, and I have seen the history of my recent calls
- from that moment on, I could browse through the Contacts, edit them, and even add a new contact or picture, either by taking a new photo or by choosing one from the photo library as you can see from the image above.
Remember, this only works with your iPhone in the intruder’s hands, and the iPhone is locked back as soon as you insert the SIM card.
Update: Here is our own video successfully testing this passcode bug, using an iPhone 4 and iPhone 4S (Siri needs to be disabled to enable Voice Control). Check it out below:
Also, the exploit works on the iPhone 5 as well, shown by iPhoneblog.de: