A bug was originally discovered in iOS 6.1 which allowed users to bypass the lockscreen passcode providing access to contacts, together with the contact, and photo apps. Apple was expected to fix this security vulnerability in iOS 6.1.2 and did introduce a fix, but instead it fixed a different security bug. Therefore, the security vulnerability still exists and is expected to be fixed in the upcoming iOS 6.1.3 update, currently in the hands of developers. It is not the first time a security vulnerability like this has been discovered, but it appears a lot of information can be obtained in this particular bug.
It was originally posted on the Full Disclosure mailing list. Kaspersky’s Threatpost:
Similar to the iPhone’s passcode vulnerability, the exploit involves manipulating the phone’s screenshot function, its emergency call function and its power button. Users can make an emergency call (911 for example) on the phone and then cancel it while toggling the power on and off to get temporary access to the phone. A video posted by the group shows a user flipping through the phone’s voicemail list and contacts list while holding down the power button. From there an attacker could get the phone’s screen to turn black before it can be connected to a computer via a USB cord. The device’s photos, contacts and more “will be available directly from the device hard drive without the pin to access,” according to the advisory.
Users should be aware of this vulnerability until a fix is released by Apple. Obviously iOS 6.1.3 is expected to fix the Evasi0n jailbreak so a big decision has to be made when iOS 6.1.3 is finally released to the public – Jailbreak or Security? Given the scale of the security vulnerability, it is recommended that when a fix is published to the public, users update to the latest iOS to keep information store in your device safe.