Button Combo Allows People to Misuse Locked iPhones

A bug in iOS 4.1 allows people to access the contact list and make phone calls from password-protected iPhones via a simple button combination.

The bypass clearly violates the security function of the phone and exposes it to misuse if stolen, lost or left within the reach.of an ill-intentioned individual.

The issue was originally revealed by a user on the MacRumors forums and others quickly confirmed that it works on both jailbroken and unjailbroken devices.

"When you iPhone is locked with a passcode tap Emergency Call, then enter a non-emergency number such as ###.

"Next tap the call button and immediately hit the lock button. It should open up the Phone app where you can see all your contacts, call any number, etc," he writes.

Other users reported that they also obtained access to voice commands, as well as voicemail and call history. Returning to the lock screen after misusing the phone only requires tapping "end."

It seems that the flaw is specific to iOS 4.1, which is used in iPhone 4 and iPhone 3GS. It doesn't work on older versions of the operating system.

Apple has been notified of the issue and plans to address it in the next iOS update. "We’re aware of this issue and we will deliver a fix to customers as part of the iOS 4.2 software update in November," a company spokeswoman told Wired.

This is not the first time when such a bug is found in iOS. Back in August 2008, a similar bypass was reported on MacRumors.

It involved pressing the "Emergency Call" key, then double-tapping the home button and allowed possible intruders to access the address book, email client, as well as the browser. The bug was fixed in iOS 2.1.

Here's a video of a Brazilian iPhone customer demonstrating the latest bypass: