Insecurity And Exchange: iPhone Passcode Bugs Revealed

This image described by iPhone, Security, Exchange ActiveServer, passcode, Bug

As recently as this past July, we've reported on how feeble the iPhone 3GS's encryption is for truly secure business applications.

Now comes word on some strange behaviors with how the
iPhone handles device password policies, as well as passwords altogether.

Writing in NetworkWorld, IT security analyst Jay Sartori tested a 16GB iPhone 3GS running firmware 3.0.1 and configured to use Exchange
ActiveSync mail going through a proxy server.  Sartori first checked EAS password policies, which under normal circumstances require the user to set a password
— and after 20 minutes of inactivity, forces them to enter my password.  On a Windows Mobile device, this worked fine.  But on the iPhone, because of the different usages of the ‚ÄúAuto-Lock‚Äù
and “Passcode Lock” settings, Sartori could override ActiveSync's password timeout settings after connecting to the server.

A second bug uncovered relates to alphanumeric passwords.  Sartori discovered that, if an iPhone originally had a combination of numbers and letters as a password, and the password was then changed to a four-character all-numeric value, you lost the ability to subsequently change it back to an alphanumeric value.  Any good hacker can crack a four-digit passcode on his coffee break.  The only way to correct this is to remove the Exchange account from the iPhone and add it back, and then entering a more complex password when prompted.

Not surprisingly, Sartori concluded that the iPhone, despite everything good about, is still Not Ready For Serious Business Prime Time.

About Dactyl Anapest

Google + Profile