Critical iPhone security issue leaves your contents exposed

Most iPhone users are confident that using a passcode to secure their devices means that even if they lost them or they get stolen, their data will be protected from prying eyes.

Unfortunately for them, Bernd Marienfeld, an information security professional, has discovered last week that the passcode protection can be bypassed by simply connecting the iPhone 3GS in question to a computer running Ubuntu 10.04.

According to him, the iPhone can be tricked into allowing access to photos, videos, music, voice recordings, Google safe browsing database, game contents, and more, by switching it off and connecting it to the computer, then switching the iPhone back on:

He claims that he has managed to get read-and-write access in 4 different 3GS, non jailbroken, passcode protected iPhones with different iPhone OS version installed. He says the vulnerability is definitely not an Ubuntu vulnerability, but a flaw in the iPhone’s way of implementing authentication when connected to a computer.

Apple has been notified of the flaw, and they managed to reproduce it, but have yet to push out a fix or to say when it will be made available.

In the meantime, heise Security has succeed in using the same flaw to gain full system access to an iPhone – even to create a backup of the content – by using iTunes on Windows. According to Marienfeld, they could read notes, SMS messages and passwords in plaintext.

Since the iPhone has become the device of choice for many an enterprise user, Apple will definitely have to take a good look into the security settings and features of one of its most popular products if it wants to keep its market share – or increase it.