Passcode Security Flaw Update: it’s a bug in the iPhone OS, not a hack of Ubuntu/Linux
News spread yesterday after Bernd Marienfeldt discovered a security issue with passcode enabled iPhone devices still being accessible using a stock Ubuntu 10.04 system and now reaching major sites on the Internet.
Since those reports appear to point out that Ubuntu/Linux is “teh evil”, I’ll try to explain why this is totally false information and FUD.
The basic workflow he pointed out was:
- Set a passcode on a device
- Switch off the device
- Attach it to an Ubuntu system it was never attached before
- The device starts booting
- Ubuntu automounts the device media partition and allows access
The expected behavior is that the device would refuse to pair with the unknown system due to having a passcode set.
Now the problem here is that you can replicate this flaw with any operating system.
Both Windows and Mac OS X are affected by the same issue and repeating this process under those systems replicates the exact same issue and once attached, allows device access with tools like iPhone Explorer just fine even with a passcode set.
It has nothing to do with Linux except that it became evident here first since Ubuntu auto-mounts any device as soon as it is ready. The guys at libimobiledevice could not replicate it initially as it only affects devices with a long boot cycle.
To sum it up: Ubuntu Linux as well as other Linux distributions, using libimobildevice, do work correctly. The real bug is hidden within the iPhone OS and is thus unrelated to the used operating system as iTunes is evidently affected by this, too. This is something Apple is most likely going to fix in the next OS release, hopefully correcting only this misbehavior which, on Linux, should give you the dialog seen on the picture for this post in the future.
So please stop spreading FUD that Ubuntu/Linux is “hacking your phone”. Thanks.
Oh, and I’d like to dedicate the dialog you see above to Bernd which we are about to introduce to GNOME’s GVFS now just to show that indeed even Linux detects and shows information about a passcode refusal similar to what iTunes shows just fine. ;)
UPDATE 02/06/10: It appears the issue only applies if you switch the device off during an “unlocked” state (thus you entered the passcode already and see the icons) but not if you power it down while it requests you to enter a passcode making this whole mess less dramatic…