iPhone security issue regarding passcodes

IT security analyst Jay Sartori decided to play around with the new iPhone 3GS to see how it interacts with the Exchange ActiveSync feature and if password protection is as good it should be. He used a 16GB iPhone 3GS running firmware 3.0.1, and it was configured to use Exchange ActiveSync going through a proxy server (F5 Firepass running Exchange 2003 SP2).

And this is what he found out:

1. A user can change the time required for the device to activate the “Passcode Lock”. That means that if the administrator set the time on 15 minutes through EAS, the user can configure it to ask for the password again after as long as 1 hour. A lot can happen in one hour. Administrators should be aware of this.

2. Let’s say you configured your password to consist of 6 alphanumeric characters. As you enter it, asterisks are shown on the screen to mask the number:

So far, so good. The problem arises when you change the password to any four-digit numeric combination – because you can’t change it back anymore. Yes, you can change the numbers, but you can’t enter letters of special characters. (Apparently, this bug doesn’t seem to appear if you change the password to a 4-digit one but use alphanumeric characters):

This is dangerous because now anyone who want to break into your phone knows that the password is 4 digits long and includes only numbers – and that is not hard to crack. When this happens, just remove the EAS account and add it back again. You will be asked to insert a new, complex password.