iPhone software 2.2, emergency calls, and passcode security

Nov 21, 2008

iPhone software 2.2 was released today. I don't yet know what other interesting features it has, but it has a bunch of security updates. And this one in particular caught my eye.

Passcode Lock

CVE-ID: CVE-2008-4228

Available for: iPhone OS 1.0 through 2.1, iPhone OS for iPod touch 1.1 through 2.1

Impact: Emergency calls are not restricted to emergency numbers

Description: iPhone provides the ability to make an emergency call when locked. Currently, an emergency call may be placed to any number. A person with physical access to an iPhone may take advantage of this feature to place arbitrary calls which are charged to the iPhone owner. This update addresses the issue by restricting emergency calls to a limited set of phone numbers.

I sort of had the impression that you can only call emergency numbers, but you could call anything. But it's fixed now. My old Sony Ericsson T610 had the same feature, but it did check that you only call particular emergency numbers like 911 (US), 112 (EU) and some others. If you tried to enter something else, it just didn't let you.

But in case of iPhone, this is kind of a moot point because it seems to me that most people never use passcode security or SIM lock in the first place. iPhone is the first mobile phone that I have had, which does not have ANY security turned on by default, which I imagine is the mode that most people run it in. So if someone gets their hands on your iPhone, they can impersonate you and go to all the websites and read your emails that you have stored there.

I don't know if there are extra layers for corporate security and VPN (does it prompt you for password every time you connect or something like that), but if it doesn't, then I'd be worried as a corporate security manager. I have not really looked at the corporate policy options and features that the iPhone now has, but I imagine there are features to enforce more stringent security policies there.

As a private user, though, nobody is going to enforce your own policies, and you'd better exercise your own sound judgement. I'd just recommend turning on passcode lock for everyone. It's a bit annoying at first, but I'd rather have that than someone looking at my private data in my phone.