A keylock bypass bug has been found in iOS 4.1 which allows unauthorised users circumvent the passcode screen to make calls. It’s a pretty simply trick which involves entering a number (eg. 1) on the ‘Emergency Call’ screen, pressing Call and then immediately pressing the lock button. This brings up the Phone app where the user can pick a name from the contact list, or enter a phone number of their choice. To return the phone to normal (without rebooting it), just hold down the Home button until the Voice screen comes up, press Cancel, and then the lock button.
You are able to add/delete contacts, and open the Mail app by sharing a contact where you can then create and send emails.
Here’s a demo:
I’m running 3.1.3 on an iPhone 2G, and for some reason I can make arbitrary calls directly from the Emergency Call screen without any fancy tricks. Go figure.
These kinds of vulnerabilities are not unique to iPhones however, with similar bypass bugs being found in some Android-based phones.
[Update] Thanks Andy for clarifying what an attacker can do using this technique.
The chronic dev team (@chronicdevteam) have released greenpois0n, their iOS jailbreak tool featuring an implementation of geohot’s bootrom exploit. Downloads are available for Mac OS X, Windows and Linux. It also only works on iOS 4.1.
This release of greenpois0n supports:
– iPhone 4
– iPhone 3G S
– iPod touch (4th Generation)
– iPod touch (3rd Generation)
Soon there will be another release, adding things like support for:
– Apple TV (2nd Generation)
– iPod touch (2nd Generation)
[Updated 4/2/2011] greenpois0n updated to jailbreak iOS 4.2.1