First iOS7 security loophole found.

[roninblade]

welp, that didn't take too long. loophole works on my ipad and a colleagues iphone here at work.

source

Forget the debate around the security or insecurity of the iPhone 5s’s fingerprint reader. The latest version of the iPhone’s operating system currently offers a gaping hole in its old-fashioned passcode lockscreen.

Jose Rodriguez, a 36-year-old soldier living in Spain’s Canary Islands, has found a security vulnerability in iOS 7 that allows anyone to bypass its lockscreen in seconds to access photos, email, Twitter, and more. He shared the technique with me, along with the video above.

As the video shows, anyone can exploit the bug by swiping up on the lockscreen to access the phone’s “control center,” and then opening the alarm clock. Holding the phone’s sleep button brings up the option to power it off with a swipe. Instead, the intruder can tap “cancel” and double click the home button to enter the phone’s multitasking screen. That offers access to its camera and stored photos, along with the ability to share those photos from the user’s accounts, essentially allowing anyone who grabs the phone to hijack the user’s email, Twitter, Facebook FB +1.66% or Flickr account.

I tested the technique on an iPhone 5 running iOS 7, and it worked. Rodriguez’s video shows it working on an iPad, too. It’s not yet clear if the same exploit can bypass the lockscreen of an iPhone 5s or 5c, but Rodriguez tells me he believes it will. I’ve reached out to Apple for comment and I’ll update this post if I hear from the company. Update: A spokesperson from Apple tells me that the company “takes security very seriously and we’re aware of this issue. We’ll deliver a fix in a future software update.”

Rodriguez has a track record of finding lockscreen bypass bugs in iOS, many of which he says he dug up while killing time in his old job as a driver for government officials. “I had a lot of time to look at the scenery, break the phone or write poetry while waiting for my boss, and I don’t write poetry and already knew the landscape by heart,” he tells me via instant message and Google translate. So he spent hours “trying everything that goes through my head…I submit my iPhone to cruel methods of torture.”

edit: easy fix: you guys need to disable control center from your lock screen. that should take care of the problem.

[roninblade]

another bug found. this one lets you make calls from a locked phone.

source: theverge.com

Apple released iOS 7 earlier this week and the first lockscreen bug surfaced just a day later. Now another bug has been discovered, but this one actually allows people to make phone calls from locked devices. Forbes was first made aware of the bug by Karam Daoud, and it's astonishingly simple. Simply go to the emergency call screen of a passcode-locked iPhone on iOS 7, dial a number, and hit the green "call" button repeatedly. Eventually the virtual button appears to get "stuck" and the phone crashes to the white Apple logo on a black screen — but the call itself actually goes through. We were able to replicate the problem on both an iPhone 5 and an iPhone 4S.

Of course, just like the other bug, this requires physical access to an iPhone, but unlike the earlier exploit it doesn't provide access to data on the device itself. Still, any behavior that allows someone to bypass a user's lockscreen without permission is clearly unacceptable, and we expect Apple will be addressing the problem with the first update to iOS 7. We've reached out to the company for comment, and will provide you with any further information as it becomes available.