iPhone security hole lets you view contacts on a locked phone

It’s not been the best of weeks for iPhone security. First we had news that social network Path has been slurping the data from users’ address books without their permission and uploading it to their servers. Now security blog Peekay reports on an experiment in which they set out to gather as much information as possible from a locked iPhone 4. The results are a bit concerning – using the voice control function, they were able to access contact names, profile pictures and even place a FaceTime call. This was despite voice dialling being turned off in the phone’s settings.

Image: Peekay

When first attempting to place a call, the phone responds “Voice Dialling is disabled”, as we’d expect. However it’s when the user slides to unlock and taps “Emergency Call” that the hole begins to appear. Asking the phone to place a call this time results in a search of the phone’s contacts being performed, and any matches being displayed. When a match is found, the iPhone attempts to place the call, although it doesn’t connect.

This is a fair bit of information to gain from a locked phone. But it doesn’t stop there. If the user, instead of using the “call” command, uses the “FaceTime” command, the call actually connects and the video call works.

There’s been no immediate response from Apple to this report. With iOS 5.1 currently a work in progress, we’ll wait and see if the issue is addressed. In the meantime, better keep an extra eye on your phone.