Apple iPhone 3G/3GS/4 bug grants access to address book & telephone

Ah dear.

What is it with Apple? Can’t they make their devices actually work properly from a security standpoint? Given the fact that millions of businesses are moving to standardise on them, you’d think they’d have thought a little bit more carefully about getting the basic security correct.

What’s the problem? Well, it’s simple: Even if your iPhone is ‘protected’ with a security passcode, you can bypass that with a few clicks to access the device address book. And Global Address Book, if available. You can also make phone calls.

You what?

Yes, you read that right.

You can pick up any ‘locked’ iPhone and tip-tap-tip, you can make phone calls and mess around with the address book. I’ve ‘hacked’ my iPhone 4 with the technique.

Robert McMillan from PC World published this helpful post on the subject referencing the MacRumours forum and a rather helpful video demonstration:

A bug in Apple’s iPhone OS gives thieves a way to unlock stolen iPhones and make telephone calls.

The flaw was first reported late Friday on the MacRumors discussion forum and is very much like other, similar bugs discovered in iOS over the past few years. In an Internet video, one user shows how it works on a phone that requires a security passcode before it will work. By hitting the Emergency Call button and then tapping ###, Call, and then quickly hitting Lock, he is able to open up the iPhone’s Phone program, look up the owner’s contacts and make telephone calls to any phone number.

No other iPhone applications are accessible, however, so the bug can’t be exploited to, say, send or read e-mail messages.

Every security chief at every Fortune 250 company that has recently deployed iPhones will be having kittens right now.

It’s not a *MASSIVE* gaping hole — it’s only the address book — but that’s enough to give most security people palpitations.

Is this why, if you’re doing anything on iPhone, you should be using Good Mobile Messaging? Or simply, sticking with RIM?