In a security flaw discovered by security experts Jim Herbeck and Bernd Marienfeldt, Ubuntu 10.04 ‘Lucid Lynx’ can read your iPhone’s and iPod touch’s files, even if you have a PIN in place. They tested using three non-jailbroken, up-to-date, iPhone 3GS. Their findings show that they could access the music, video, voice recordings, photos, databases, and game contents.
In their own words:
I uncovered a data protection vulnerability , which I could reproduce on 3 other non jail broken 3GS iPhones (MC 131B, MC132B) with different iPhone OS versions installed (3.1.3-7E18 modem firmware 05.12.01 and version 3.1.2 -7D11, modem 05.11.07) , all PIN code protected which means the vulnerability bypasses authentication for various data where people most likely rely on data protection through encryption and do not expect that authentication is not in place.
This is what you get via an auto mount without any PIN request:
This data protection flaw exposes music, photos, videos, podcasts, voice recordings, Google safe browsing database, game contents… by in my opinion the quickest compromising read/write access discovered so far, without leaving any track record by the attacker. It’s about to imagine how many enterprises (e.g. Fortune 100) actually do rely on the expectation that their iPhone 3GS’s whole content is protected by encryption with an PIN code based authentication in place to unlock it.
Though this probably doesn’t present a large problem for the average consumer, enterprise users have something to worry about, considering how much data goes into the iPhone.
Hopefully Apple will be able to incorporate a fix in the near future (OS4, anyone?), although Canonical (the company behind Ubuntu) could send out an update to fix the problem. Either way, don’t let a stranger with a laptop running Ubuntu 10.04 use your iPhone!