updated 08:30 pm EDT, Fri September 20, 2013
First flaw easily avoided, new one not a security threat
As has happened with previous iOS releases, real-world user testing has uncovered a few bugs that slipped through the months-long beta process. Yesterday marked the discovery of the first serious bug, a method of bypassing iOS 7's lock screen security -- however, the flaw was complicated to achieve, easily avoided by simply disabling Command Center's optional ability to appear on the lockscreen prior to user passcode entry. The new issue takes advantage of a glitch in the emergency call feature to allow users to make regular phone calls, bypassing the passcode lock.
The bug is demonstrated in a YouTube video (seen below) and involves entering a phone number and then repeatedly pressing the call button until the call is placed. Normally, the emergency call function is only supposed to allow calls to 911 or other emergency numbers around the world. The flaw does not give attackers access to any other function or personal data, but can be used to make unauthorized phone calls if the person has physical access to an iPhone that is normally guarded by a passcode lock.
The earlier glitch found in Thursday would be considered more serious, as it allows users to bypass the lock screen entirely. Fortunately, that bug is easily avoided by disallowing the use of Command Center (a new feature in iOS 7 that makes it easier to turn functions on and off) from appearing on the lockscreen, thus requiring the passcode to gain access to it.
The new flaw has already been reported to Apple, and the company is likely to fix both problems in a future software update. New iPhone models have already been issued an iOS 7.0.1 version that is not available to older models running iOS 7. The updated firmware for the new iPhones is believed to correct some undisclosed issues with the Touch ID fingerprint sensor and iTunes Store authentication.