iPhone hack: Your iPhone's not as locked as you think

Do you lock the front door but leave the windows open? A new hack shows how iPhones are vulnerable, even when locked.

Samrang Pring / Reuters
A man uses his iPhone to film a Cambodian festival, Feb. 25. A new hack, the second in a month, allows a users to bypass the PIN of a locked iPhone.

A glitch in Apple's iOS 6.1 operating system makes it possible to access an iPhone's sensitive data, including contacts and photos, without entering the correct passcode, or personal identification number (PIN).

The security flaw, the second PIN bypass that security researchers have found this month, takes a bit of tricky button-pushing in a specific order. But once done successfully, it allows an intruder to download the phone's data over USB to a computer that would have otherwise been locked out.

The security hole was disclosed in full detail by Vulnerability Lab CEO Benjamin Mejri on Seclists.org, where he explained how to get around an important security feature that millions of Apple customers rely on every day. The hack involves simply manipulating the button-press sequence for the screenshot and emergency-call functions.

If the exploit is performed successfully, Mejri explained, the device will go into "black screen mode," showing a dark blank screen. Once the device is connected to a computer, the intruder has direct access to the compromised device's hard drive. A video Mejri produced shows the procedure all the way through to success.

TechNewsDaily was able to reproduce the "black screen mode" portion of the hack on an iPhone 5 by following Mejri's instructions but could not access the phone's hard drive once it was connected to a computer.

Earlier this month, a YouTube video surfaced showing a simpler iPhone hack that allowed unauthorized access to a phone's contacts and photos by making an emergency call and pushing the power button twice.

Apple released an operating system update, iOS 6.1.2, earlier this week but did not address this particular issue, fixing instead bugs related to the calendar app and battery life, despite telling tech blog AllThingsD that a security fix would be coming in a future update.

Devices can be hacked in this manner only if an attacker has physical access to the device. So it's best to follow that advice you hear from the train conductor or read on signs in the bus: Keep your valuables close to you at all times.

of stories this month > Get unlimited stories
You've read  of  free articles. Subscribe to continue.

Unlimited digital access $11/month.

Get unlimited Monitor journalism.