Tuesday, October 25, 2011

iPad 2 smart cover found to 'bypass' passwords

"Access granted"

After Siri, the Apple iPad 2’s “Smart Cover" has been found to pose a potential threat to the security of the popular tablet computer, an Apple enthusiast site reported.

The security flaw allows anyone with a “Smart Cover" to bypass even a password-protected iPad 2, 9to5mac.com said in a blog post .

“Now, a real iOS security flaw has emerged, and anyone with a Smart Cover can break into your ‘password-protected’ iPad 2. This issue occurs in iOS 5, but we’re hearing uncorroborated reports of it also working in earlier versions of iOS 4.3," it said.

The discovery was publicized days after it was bared that Siri, the personal assistant in Apple’s new iPhone 4S, can allow access to iPhone functions even if the iPhone is locked.

However, 9to5mac.com said the problem with Siri was more of an indented feature since the iPhone 4S’ user settings can prevent Siri from giving access to a locked iPhone.

A demo video posted on the site showed that while a person unlocks your the iPad 2 will not have complete access to the iPad, he or she will be able to gain entrance to whatever the user locked his or her iPad 2 on.

“If your iPad 2 went to sleep in Mail, Safari, Messages, Contacts, or Maps, you can imagine the sorts of personal information that can be viewed on your iPad. If you left your iPad 2 on its Home screen, the person can view which applications you have on your device, control media from the multitasking bar, but not much else," it said.

The site said users can recreate the scenario with the following steps:

Lock a password protected iPad 2
Hold down power button until iPad 2 reaches turn off slider
Close Smart Cover
Open Smart Cover
Click cancel on the bottom of the screen

Temporary solution

A temporarily fix for this bug is to disable Smart Cover unlocking in the iPad 2 settings menu under the General tab.

‘Misleading’ Apple statement

Computer security firm Sophos noted a “misleading" statement by Apple regarding the iPad for business, where it supposedly provides hardware encryption for all data stored on the device.

It also provides additional encryption of email and application data with enhanced data protection.

But it said iOS 5 devices have the exact same implementation flaw of the AES 256 encryption as iOS 4: While the data is encrypted, iOS provides unfettered access without knowing the passcode or posessing the encryption keys.

“This type of misleading statement shows how the specific meaning of a statement might imply that all of your data is protected where the reality is the devil is in the implementation details," it said in a blog post .

Sophos said this means all media such as photos, videos, sound recordings and music can be accessed from a computer that can speak Apple’s control protocol without any authentication, even if the device is locked.

Unauthorized calls

Sophos also cited an article on MacNotes.de describing how to make unauthorized outgoing phone calls with someone’s locked iPhone with iOS 5 - if you have a missed call notification.

“If you were to forge your caller ID (somewhat trivial for VoIP users) you could call someone’s iPhone with a number you wanted to call out to and then just tap the screen to dial the number," it said. — TJD, GMA News

1 comment:

  1. Just tried this on my co-workers iPad 2. It worked on the 2nd try. Thanks.