Apple has said that it is aware of a vulnerability in its iPhone that will be fixed in a software update next month.
According to the Sydney Morning Herald (SMH), a flaw allows anyone to gain access to the phone function without the need to enter a passcode by pressing some touchscreen buttons and a physical button. Using this method, the SMH was able to make phone calls on a passcode-protected iPhone 4 with the latest software updates and also send emails of contact cards, all without entering the PIN.
However the bypass failed to work on an iPhone 3GS but it did work on the older 3G phone. Apple said that it is 'aware' of the flaw and will fix it in a software update next month.
It said in a statement: “We're aware of this issue and we will deliver a fix to customers as part of the iOS 4.2 software update in November.”
Alan Bentley, SVP international at Lumension, said: “The reported flaw in the iOS4 operating system comes as absolutely no surprise. With the mass adoption of high profile devices like the iPhone, it was only a matter of time before cyber criminals turned their attention to this new data hotbed and began to find ways to crack the codes and unlock the valuable assets within them.
“In addition to the obvious impact this threat could have on consumers, businesses worldwide have issued iPhones to employees to support mobile working. With the vulnerability potentially exposing reams of personal and corporate data, this is a threat Apple must tackle quickly. Until now, security concerns over smartphones have been about protecting the data being sent from the device and unauthorised connectivity into corporate networks, but now users have to be equally mindful of what, or who, might get in.
“An initial step businesses can take is to ensure that all employees are fully aware of the risk at hand with this new threat, until Apple releases the necessary patching to tackle the flaw and close the gates and keep the bad guys at bay once again.”
PC World reported that the passcode bypass bug can be reproduced by touching the Emergency Call button on the Enter Passcode screen, then on the Emergency Call screen, a user dials a non-emergency number (such as '#') and hits the call button immediately followed by the hold/lock button on the top of the phone. It is demonstrated in this YouTube video.