Glitch in iPhone Exposes Locked Photos
If you set the clock back on an iPhone running Apple’s iOS 5, it is possible to view all the photos on the phone, even if it’s locked.
The latest version of Apple’s mobile operating system allows users to use the camera on locked iPhone by double-clicking the home button, but also prevents access to the entire photo gallery. To see pictures other than the ones just taken, users have to enter a passcode and unlock the phone.
Canadian researcher Ade Barkah discovered a simple way around this built-in “image jail,” as he called it in a blog posting.
Barkah found that the filter that divides protected images — those that can be viewed only when the phone is unlocked — from unprotected images is based on the timestamp logged when the camera app was opened. Users cannot see photos taken before that point unless they unlock their phones.
“Yet that leads to an immediate hole,” Barkah wrote. “If your iPhone’s clock ever rolls back, then all images with time stamps newer than your iPhone’s clock will be viewable from your locked phone.”
Barkah tested the vulnerability and found that simply changing the time in the iPhone’s settings was enough to make protected photos viewable.
Although most users have their iPhones’ date and time automatically set by their cellular network, Barkah outlined a few instances in which user error — such as when manually adjusting the clock after crossing time zones — or a software or hardware malfunction could open phones to this exploit. An app that somehow changed the iPhone’s clock could be another source of attack, Barkah said.
Barkah did not write whether he tested this exploit on an iPad running iOS 5, but it would be reasonable to assume that the same would apply.
“The point to all this is that Apple should not rely on a simple time stamp to restrict image access,” he wrote. “Changing the iPhone’s clock — forwards or backwards — should not affect its security.”
Article provided by SecurityNewsDaily, a sister site to Laptopmag.com.
- The 10 Biggest Security Stories of 2011
- Anonymous Exposes German Neo-Nazis
- 2012 Privacy Software Review