iPhones that have been password-protected and have voice dialing deactivated can still make FaceTime video calls, as well as disclose basic information about a person's list of contacts.
The security loophole, which is present in the latest version of Apple's iOS 5.0.1 software, was discovered earlier this week by Canadian tech writer Ade Barkah, who posted details about it on his blog. CNET confirmed it working on three different iPhones, including the iPhone 4 and 4S.
In short, it works like this: If you've got your iPhone set to what are basically the highest security settings--passcode required immediately, as well as voice dial and simple passcode off--you can still make FaceTime calls through the iPhone's emergency call feature using Voice Control.
Barkah discovered that even when voice dialing is disabled, you can get it to work from emergency call screen, the feature designed to let you call 911 or any other phone number without providing access to other parts of the phone.
There is one big snag though--voice calls won't actually go through. You can, however keep guessing first names of people who might be in the phone book, and if you find a match, you can initiate a FaceTime call with that person as long as the phone is connected to a Wi-Fi network. Barkah also noted that if the person does not have FaceTime set up, you're still able to see their full contact name and whatever photo is stored.
Apple did not immediately respond to a request for comment on the security issue.
The bug is not particularly useful with an iPhone 3GS--even though it has Voice Control--because it does not have a forward facing camera to support FaceTime, however contact names can still be seen. The loophole is also not all that useful when you aren't connected to a remembered Wi-Fi network (e.g. if the phone in question has been lost or stolen), since it's required by FaceTime to begin a chat. However Voice Control is a feature that cannot be completely disabled on the iPhone 3GS and later.
Of note, users on the iPhone 4S will only see the Voice Control screen if they have Siri turned off, which it is by default when a user first sets up the 4S. Siri has its own settings for what you can do when a phone is locked, which we've covered in the past.
This is not the first time the emergency call screen has been a gateway to access features and information that would otherwise be kept secret to those without the password. In October 2010 a bug was discovered that would let users access the complete contact list of a locked iPhone running iOS 4.1. A subsequent update fixed the issue. Prior to that, an earlier version of the OS in 2008 would let users double-click the home button from a locked iPhone's emergency call screen to gain instant access to the user's address book and voice mail, another hole that was patched with software
Apple is currently working on iOS 5.1, the next software update for iPhones, iPod Touches, and iPads. No word on if that will fix this behavior.