Passbook: A Security Flaw?

In the third week of September 2012, Apple released the much anticipated iOS version 6 for it’s iOS devices (that includes the iPads, iPhones and iPod Touches). One of the new features included was a little App called Passbook. This App allowed a single location for all of your passes, tickets and coupons, as well as location-based reminders.

One of the abilities was to provide, at the lock screen, a relevant ‘pass’ upon reaching the location where it would be used. My first chance to experience this was last week when Starbucks UK (finally) updated their UK App to provide Passbook integration. Over the last week or two I’ve been fortunate enough to be working with a client based in London City and so have taken advantage of this moment to put it through it’s paces.

How’d it go?

Well overall, the Passbook App works great. In the Starbucks App I have to set which ‘card’ I would like in Passbook, and which of my favourite stores I’d want to use it in. These stores are only the ones that prompt at the lock screen, there’s nothing stopping me use the Passbook card at any other Starbucks’.

Each morning, I’d walk into the nearest favourite Starbucks, place my order, and pull out my iPhone with the card already on the lock screen for use. Admittedly, sometimes it would be a few seconds behind, and the free cloud WiFi caused problems as it required a webpage authentication but still let the iPhone connect but overall not a bad experience.

However, after a few days, I started to notice a particular issue. If I was at my favourite store, and the iPhone provided the Passbook card, a simple swipe showed the balance and the bar-code, ready for use. Helpful, yes, but this didn’t seem secure…

Security

Like most iOS users, I have contacts, calendars and emails relating to my work that could cause issues if lost. Additionally I do have personal details that would cause no actual damage but large amounts of inconvenience if lost. One way to protect them is to set a passcode lock. This simple step will dissuade most thieves in even bothering to break in (resulting in it wiped, but at least your data is safe!). You could also pair this with the “Wipe after ‘X’ failed passcode attempts” to assist in data leak prevention.

What I found with the Passbook Apps is that once it has appeared on the screen, anyone with their hands on the phone could use the card without knowing or even being prompted for my passcode.

OK, so this isn’t as bad as say, access to a multinational companies financial records but still:

  • I load money, real money, onto that card prior to use.
  • It can be used repeatedly as long as the Passbook App is open.

Being the sort of person who doesn’t like to be cut short I’ll typically try and keep at least £10 on there. This would mean that any thief would have access to at least £10 of my money, in addition to my ~ £400 handset!

How likely is that?

To be fully honest, it is a lot of “ifs and buts” but the possibility is still there, and just from normal, standard, everyday use of the App and features. I’m also not trying to scare anyone away from iOS, or fully using the features, but this raises questions for the everyday end user. The full circumstances are:

  1. Theft of the physical iOS device.
  2. Installation and use of the Starbucks Passbook App card.
  3. Knowledge of the victims ‘favourite’ Starbucks Stores.
  4. Presence at one of these stores.

The use is also limited to just Starbucks, but it gets you thinking about the possibility of other Apps having the same vulnerability, with the blame resting on Passbook.

Can I turn off the lock-screen portion of Passbook?

Yes, and this would prevent the scenario above, but with loss of functionality so is a trade off.

  1. Go into the main Passbook App
  2. Look for a small ‘i’ symbol, typically in the lower right corner of the ‘card’. Click it.
  3. On there would be the option to “Show on Lock Screen”. Turn this off.
starbuck passbooks app

Summary

I hope this hasn’t worried you too much, but it is something to give at least some thought too.
What if you were a regular in one store, and you left behind your iOS device? Could you trust that one of the other regulars wouldn’t try ad get a few free coffees on your cash?

How do you feel about this? Is there anything further that can be done? Let us know in the comments below and I’ll try to respond to as many as I can.

 

While the author has taken care to provide our readers with accurate information, please use your discretion before acting upon information based on the blog post. Amsys will not compensate you in any way whatsoever if you ever happen to suffer a loss/inconvenience/damage because of/while making use of information in this blog.

 

 

Share this post online:

4 Responses to “Passbook: A Security Flaw?”

  1. Darren says:

    Hi all,

    As some of you may have noticed, Apple have released an update to the iOS software in the form of version 6.0.1. After some digging around in the security related release notes, it seems they may have fixed at least some of the flaw (quote below). I have my updated iPhone with me and later today I hope to be able to test if this update fixes the issue.

    Darren
    Amsys Plc

    Quote (URL: http://support.apple.com/kb/HT5567):

    “Passcode Lock

    Available for: iPhone 3GS and later, iPod touch (4th generation) and later, iPad 2 and later

    Impact: A person with physical access to the device may be able to access Passbook passes without entering a passcode

    Description: A state management issue existed in the handling of Passbook passes at the lock screen. This issue was addressed through improved handling of Passbook passes.

    CVE-ID

    CVE-2012-3750 : Anton Tsviatkou”

  2. Darren says:

    After a couple of days testing, I can confirm that the above iOS update does not resolve this ‘issue’.

    Darren
    Amsys Plc

  3. Sylvia says:

    Has this security flaw been resolved yet?

  4. Darren says:

    Hi Sylvia,

    To be honest I’m afraid I haven’t tested the issue since. I have left access turned off at the login screen.

    To be honest, I’ve not seen any release notes to say that it has been fixed.

    Darren

Leave a Reply