Emergency Call Security Flaw Persists in iPhone 2.1
About a month ago Dieter reported about a fairly large security flaw in firmware 2.0.2 that gave access to Safari, Email, and a frightening amount of personal data. Apple patched it in 2.1. Or did they?
This could be a flaw, or feature, but it turns out you still have the ability to make a phone call, to any number, while the iPhone is locked with a passcode. Wasn’t the “emergency” call feature meant to call “emergency” numbers such as 911 only?
Apple can you please put this on your “need to fix” list? Thank you!
(Via Macrumors, as discussed way back in 2.0.2 on the forums of iLounge.com)
September 20th, 2008 at 1:01 am
I actually enjoy being able to hand a locked phone to my girl so she can make a call, plus why would you go through the process of unlocking and launching the phone app to call a number you just saw on tv or something. I like this feature.
September 20th, 2008 at 1:48 am
I also see it as a feature, not a bug. Think of the scenario where you try 911 but it doesn’t work for some reason. You can still call the local police department or sheriff’s office, highway patrol, etc. Also, since iPhone is intended to be able to work internationally, it seems like it would be difficult to know what the emergency number is wherever you happen to be. The “911″ dial code is not a standard, it’s just what we use in the US. Other regions / countries have their own emergency numbers.
September 20th, 2008 at 2:48 am
its been like that since 1.0.
September 20th, 2008 at 4:51 am
I also like the emergency feature to be able to function as a phone. it is a phone after all. I will be easily give to someone else to make a call without letting them peak to my data
September 20th, 2008 at 7:43 am
Sorry guys, while I understand some of your points I just don’t see this as a feature. When a phone is locked… it should be locked from every feature no? Maybe I am crazy. Maybe I don’t have to worry about my girlfriend going thru my phone either… maybe a combination of both. And how many of you know your local police department number off the top of your head? How about your highway patrol number? Not many people I’m betting. Especially in a emergency situation. If someone stole my phone and I for some reason didn’t know, anyone could make as many calls as they’d like.
September 20th, 2008 at 10:14 am
it was the same since the first version
September 20th, 2008 at 3:25 pm
This is NOT the same as the bug, which IS now fixed. You could navigate to other screens before, now you can’t. Please update the thread.
Scott
September 20th, 2008 at 3:34 pm
@Scottb, I never said it was the same bug from the 2.0.2 firmware. Simply said that Dieter reported on that bug a few weeks back. Sorry if you took it the wrong way.
September 20th, 2008 at 3:42 pm
some people probably don’t like the idea that other people can call from a locked iPhone to any number they wish, and would prefer that this not be possible. Whether it’s a feature or a security failure depends on the user. If someone called a billable number and stuck you with thousands in charges, you might think it’s a failure.
The real failure, however, is not knowing. Articles like Macrumors’ helps keep us all informed. Now we know, can make informed choices, and react swiftly if we lose control of our device.
September 20th, 2008 at 4:10 pm
@Jeremy,
I think it’s still misleading. The originally reported bug was a bug. This is the way Apple designed it to work. There is a difference - and the press loves jumping on any little Apple flaw, so I think it’s equally fair to report when it’s fixed - I see NO articles anywhere talking about the fix, yet everyone reported it as being there - and rightly so.
Scott
September 20th, 2008 at 4:29 pm
@Scott, sorry you feel that. But I feel this is something that isn’t right. Has Apple ever states it’s supposed to be this way? And sure you’ve seen articles that state when something is fixed… Apple likes to fix bugs in firmwares, when a new firmare is released we always list everything that was included in the firmware including bug fixes.
September 20th, 2008 at 4:42 pm
An emergency call to me does NOT just mean 911. In many instances, 911 is not the primary choice, and in a panic, calling my wife or child IS an emergency call. If your phone is stolen or lost, you can have it killed remotely. If I need to make a call quickly in a panic, I don’t want 911 as my only option. The BUG - the one that let you navigate the iPhone - was fixed. Two separate issues, IMHO. I’m not angry here, but I think this is not clearly being portrayed in this piece.
Scott
September 20th, 2008 at 5:26 pm
That is your opinion and that is completely fine. I just look at a emergency call differently from you. Simple as that. I also noted it could be looked at as a feature or bug. We always won’t agree.
Jeremy
September 20th, 2008 at 10:52 pm
If I lock my phone, I want it locked. If Apple wants to allow a number other than 911 than why not allow an list of ICE (in case of emergency) numbers that you can customize. This way, no one can start making international calls or toll calls.
Give me a choice. If you allow me to lock my phone and it doesn’t LOCK… its a problem to me and I’d bet a large number of people.
Geez, it’s just hard to believe people can be so devoted to a company and drink the cool-aid. Apple can and do make mistakes.
September 21st, 2008 at 8:08 am
This is neither a flaw, nor a feature. It’s simply the way the phone was designed and being able to access the contacts, web and mail is simply a byproduct of that design.
The fact that you can disable this behavior by turning on a setting (albeit it, indirectly of another lock setting) in settings alone shows its not a flaw.
I have a big problem with blogs posting this as a flaw however. They use the same tactics newspapers do to rile up readers and cause panic over nothing. “Oh my god, my iphone can be hacked.” “Oh my god, my iphone has a huge security flaw” and so on. A reader who might not have heard of this before or just started to read a blog they never read before that had this sort of material would most certainly construe it this way among other readers who just aren’t educated enough to make this discerption. Take some of the comments so far as examples.
You should know better. You can get just as many readers implementing other tactics.
September 21st, 2008 at 8:37 am
@Alex, I’m sorry you have a problem. First of all this article was not about the previous bug that Apple admitted to regarding being able to access the contacts, web and mail. So you saying that was neither a flaw or feature makes no sense what so ever. Apple admitted it was a bug and they fixed it in the latest firmware. So I’m not sure where you are coming from regarding that.
http://www.theiphoneblog.com/2008/08/29/apple-speaks-security-fix-firmware-coming-in-september/
As you can see Apple themselves called it a security flaw and that = bug in my opinion.
Regardless, the article that I wrote here is about being able to place a call to any number while the phone is locked not the bug they did fix. Sorry if you were confused.
September 21st, 2008 at 11:16 am
Why are you guy so bent on defending Apple and saying there was no bug? THEY admitted IT was a security flaw prior to 2.1. So Apple admits to a flaw and you guys are still blind and saying it’s just the way the phone is. No wonder people call you guys fanboy cool-aid drinkers.
Apple is just like any other company. They make mistakes and their priority is to make money. Steve is not your friend or god. He is a CEO. His job discription is clear. Maximize shareholder returns and revenue.
Anyhow, this article is about how the lock feature does not truly lock the phone. Not the APPLE ADMITTED bug.
It’s not exactly a phone lock if any schome can grab my phone and start making calls. Take a survey. Just implement a fricken customizable ICE list. Most new phones have that now. It should be easy.
September 21st, 2008 at 11:48 am
911 is not the only emergency number in the world. US is NOT the entire World.
September 21st, 2008 at 11:51 am
@Ed, we understand that. And that really has no bearing on the fact that Apple has left the phone WIDE open to make any call to ANYONE even though the phone is locked. None what so ever.
September 21st, 2008 at 12:02 pm
Ed, if you lock your phone and hand it to me… do you feel I should be able to dial an international phone number? This is the question at hand. NO ONE said it should only be able to call 911. Just not ALL numbers.
September 21st, 2008 at 2:11 pm
This is unreal. I’m a “Kool Aid” drinker now? My *ss. My Blackberry allows me to make calls on a locked phone too. Where’s the outrage? You anti-Apple “Kool Aid” mainliners need to get a life. I called the pre-2.1 problem a legit flaw - it was. This ability to make an emergency call is probably wanted by a majority of owners. Would it be BETTER if you could customize that? Sure. Send Apple feedback. Given the evolution of the software, it’s not unlikely.
As for THIS SITE separating the two issues - one is a bug, the other, depending on the person, is bad design or not.
Two completely different issues. Enough of the juvenile name-calling here.
If I defend Apple - and sometimes I do, sometimes I don’t - I’m not a drinker, I’m a thinker. Do the same.
September 21st, 2008 at 3:13 pm
I’m not sure if you read my post correctly. I did not call everyone who defends Apple a “Kool Aid” drinker. (spelling correction noted) Just the ones who still maintain there was no bug when Apple themselves said there was and who will defend Apple against ANY critism.. I don’t know if Blackberry allows ALL calls or not. Never had one. BUT if it does, and I used one I would be saying the same thing at the Blackberry forums.
I’m glad you don’t defend Apple regardless of the situation but there those that do.
BTW. Does your Blackberry allow you to make calls to any number when locked? Or just selected ones? Is there an option to disable that? Like I said I’ve never used BB. I currently have a 3G and used WM prior to this.
September 21st, 2008 at 6:06 pm
My BB has an option to make calls. It is allowed via policy pushed by the BES (BB enterprise server) Since I don’t have it with me - the iPhone is my new default - I can’t say if there are limitations. My recollection is no, but as with all software, certainly that would be possible - and preferable, I will agree. I just think calling this a bug is misleading, and I can’t seem to get Jeremy to change that. This is by design. Calling it a flaw asserts a bug to most people, which we know it’s not.
You can also set policies with the iPhones using the “iPhone Configuration Utility” I will look to see if there’s a way to limit using this utility later on today. I’m going back to the Pitt/Phil game now
Cheers