Apple's taking a pretty lackadaisical attitude toward one of the most easily avoided security flaws in recent memory, calling the iPhone's passcode lock bypass a "minor iPhone security issue" and saying that a fix will be rolled out in September. Thanks, Apple; we suppose it'd be a little too much trouble to ask for a fix sooner, even though you already fixed it once in 1.1.4. For what it's worth, a company spokeswoman is quick to point out that the flaw can easily be hidden by changing the home button double-click functionality to take you to the home screen, but most users don't know that, now do they? Way to show some hustle, guys -- cookies and gold stars all around.

Let's be real: a four-digit code isn't very much separating a determined bandit from your data, which is all that the iPhone affords. Granted, the phone locks up after a few attempts to slow your arch-nemeses down a notch or two, but if your code is your birthday or the last four digits of your phone number -- and you know it is, so just admit it -- they'll eventually figure it out anyway. On second thought, though, never mind, because it turns out there's a pretty effective way around these formalities -- 2.0.1 and 2.0.2 have both been confirmed to let you around the passcode lock simply by hitting Emergency Call and double-clicking the home button. At this point, the user will have access to your Favorites list, which is pretty bad as-is, but from here, they'll be able to click on an arrow and use links within your contacts to get out to the SMS, Maps, or Safari apps. If you change the home button functionality from the default (Favorites) to Home, then nothing will happen at the Emergency Call screen -- your phone is safe from prying eyes, we guess. The iPod option will kick the user into the iPod app, though, which we think is almost as bad as the Favorites exploit, because we'd really rather not our thieves know that we listen to Hannah Montana. MacRumors is reporting that it may have already been fixed for a future firmware release, so yeah, any minute now would be just great, Apple.

[Thanks to everyone who sent this in]

RIM has issued a security warning to BES admins about a problem with the BlackBerry Attachment Service and PDF files. The flaw apparently allows would-be hackers to execute malicious code with a specially crafted PDF file. The Waterloo messaging behemoth has listed BES versions 4.1 SP 3 through 4.1 SP5, and BlackBerry Unite! as affected and rated the severity as 9 out of a possible 10 -- with 10 being the highest level of fail. Thankfully a workaround is available on RIM's site involving disabling the processing of PDF files until RIM can issue a fix for the misery. Hit the read link for the dirty details.

[Via PCWorld]

Although several Indian news outlets reported last week that RIM was preparing to let the Indian government monitor the domestic Blackberry network, it appears that the outcry has prompted the company to change course and announce that it's committed to "serving security-conscious businesses in the Indian market." That's a big reversal from the rumored plan, which would have allowed Indian security agencies access to the network in exchange for taking the blame for any leak of user data. Of course, not everything's quite settled yet: the Indian government is still demanding that RIM furnish "satisfactory answers" to its security questions, and RIM told the AFP that there are some other ways for "government to take care of security concerns" without elaborating further. Based on RIM's enterprise-heavy statements and refusal to comment on the consumer service, we'd guess that enterprise customers will probably get to keep their networks locked down, but that consumers shouldn't expect their messages to be secure. Not the best compromise, but we'll see how this all plays out.

We briefly mentioned using junk data to overwrite the iPhone's flash as a last-ditch method of securely clearing off your user data yesterday, and although we were half-joking, that's pretty much your only option until Apple provides a proper secure erase feature. Security researcher Rich Mogull has helpfully laid out the steps for you, and they're pretty much what you'd expect: restore your iPhone, don't sync any personal data to it, and then manually transfer three different playlists large enough to fill the flash. Essentially you're doing a manual three-pass overwrite, which is pretty much exactly the long and tedious process it sounds like -- but we wouldn't dream of selling or giving away our iPhones (or any other phone with personal data on it) without struggling through it.

[Via Hack A Day]

It looks like you might have to think twice before flipping that old iPhone on eBay when the 3G version finally hits -- it appears that restoring the phone doesn't actually erase the contents of the flash, meaning that your data is available to anyone with the proper tools until it's overwritten. Making matters worse, it appears that Apple doesn't do a low-level format when refurbishing iPhones either -- an Oregon State Police detective was able to use forensic software to pull files, emails, and screenshots off an out-of-the-box refurbished iPhone. This actually shouldn't be surprising to anyone -- we've seen several utilities that access "deleted" portions of storage -- but since Apple doesn't provide users direct access to the iPhone's filesystem, it's basically impossible to clear your personal data off the device short of restoring and filling the disk with junk data. Hopefully iPhone 2.0's Exchange-based "remote wipe" feature is a bit more secure, eh?

[Via TUAW]

Sure, we've seen cellphone encryption contraptions before, but KoolSpan's aiming to make things extra easy for green CIA agents. Set to be released next month, the microSD TrustChip slips right into a-many of smartphones and enables callers to hit up other undercover gurus and chat with 256-bit AES encryption, providing that the receiver of the call has a TrustChip jammed in his / her phone as well. Furthermore, the device itself touts enough features to make Maxwell Smart all sorts of envious: on-chip crypto processing, key management and a tamper-resistant environment for starters. Word on the street pegs this bad boy at $300, but we all know the cost of getting a call sniffed could be much more costly than that.

[Via GetFlashMemory]

Sprint users (or corporations with Sprint-using employees) can now look forward to "24/7 laptop security through remote monitoring, location and locking if a machine is lost or stolen." Thanks to a partnership with Alcatel-Lucent, the carrier will soon be offering up the OmniAccess 3500 PCMCIA card, which features its own battery, a "small operating system, a CPU, memory and an SD slot." When inserted into a lappie, it "hijacks the TCP/IP stack, so the card can enforce policies regarding what users can download, no matter what method the user employs to connect to the internet." Furthermore, the card must be loaded in for the laptop to even become usable, and the built-in GPS enables it to be located (and subsequently wiped or locked) regardless if the machine it's in is powered on. Reportedly, the device itself will run you around $250 and can only be used with unlimited data plans, and the extra security features will tack on another $10 to $12 per month.

[Via InfoWorld / Yahoo]

We know, you probably forgot that a certain smartphone from General Dynamics was even in the running for NSA approval earlier this year, but lo and behold, the Q4 estimate was actually met and the coveted thumbs-up was given to the (totally unfashionable) Sectera Edge. The National Security Agency has reportedly "awarded a contract to General Dynamics C4 Systems enabling military and government users to order" the mobile, and just in case you weren't aware of how lucrative an indefinite delivery / indefinite quantity agreement could be, this particular one has a "potential value of $300 million over five years." Folks that end up with one of these things will have handheld access to the US government's Secret Internet Protocol Router Network (SIPRNet) and Non-classified Internet Protocol Router Network (NIPRNet), but oddly enough, we're not told whether top secret agencies will be kosher with third-party applications.

[Via CNET]

As ARM continues its quest to become the record holder for partnerships created in one month, now we're seeing that the firm is getting cozy with Intel. Apparently, the duo is looking to instill ARM's TrustZone technology into mobiles, PDAs, set-top-boxes or other devices running "open operating systems such as Symbian OS, Linux and Windows CE." Essentially, the process involves wedding ARM's security solutions with Intel's Authenticated Memory, which purportedly "provides a solution that is stronger than either technology working independently," and moreover, the combination of technologies "can help reduce SoC cost." For the geeks who dig this stuff, feel free to hit the read link for a way-too-detailed eight page PDF. [Warning: PDF read link]

[Via TheInquirer]

Here in America, we don't take our home security systems lightly, but for those in Japan, it appears that they haven't resorted to installing sensor-triggered weapons in their windows just yet. The HC-1000 camera can be controlled via the internet or a FOMA mobile, and allows users to take a peek at what's going on without actually being on the premises. The device sports a three-megapixel CMOS sensor, Ethernet port, 802.11a/b/g, 2x digital zoom, and a QVGA video mode to boot. Additionally, a "defense support" system can enable the piercing siren to let loose a wail, and the built-in microphone / speaker can even open up two-way communication between you and your home-wrecker (or faraway relative). The HC-1000 itself will run you a modest ¥29,400 ($247), but those looking to totally lock down their dwelling can spend up to ¥141,750 ($1,191) for an elaborate whole home system.

[Via CScout, thanks Mike]

Vodafone's British arm has partnered with Broca Communications to offer its Secure Advanced Message Service -- cleverly named "SAMS" for short -- to business customers. Sitting atop SMS, SAMS offers encrypted messaging for those times when you simply must know beyond a shadow of a doubt that the "meet 4 dnr?" you just received is authentic. Of course, security has its price; the service will be billed on a per-message basis, which pretty much explains why it's being pitched to Voda's enterprise user base.

[Via texutally.org]

Just in case fixed sensors all across the country, bomb-sniffing bees, and Bay Area nuke detectors weren't enough to make you rest easy, Homeland Security is cookin' up another safeguard at the expense of privacy. Reportedly, the Department is looking into the idea of "outfitting cellphones with tiny, sensitive detectors that would alert the government and emergency responders to the presence of radiological isotopes, toxic chemicals, and deadly biological agents." Essentially, future mobiles could come pre-loaded with such a device that continuously monitors said chemicals and sends off alerts via GPS if anything goes awry. Of course, officials are expecting "quite a few hurdles" along the way, one of which will be battling the privacy advocates who don't understand that their handset probably already contains the technology for Big Brother to see everywhere they go. No word on when these plans could take effect, nor whether older phones will be retrofitted with the toxic sensors, but we can already envision quite a few false alarms care of the cellphone-totin' chemists in the crowd.

[Via Textually]

If you've been a bit paranoid of late after hearing that a blatant security hole was found in the now-deceased Palm OS, help has unofficially arrived. Reportedly discovered by Symantec, the vulnerability entailed a hole that allowed the operating system's Find functionality to be accessed even when the device was set to Locked, allowing ill-willed hackers to sift through text message history, calendar entries, tasks, etc. The hole had been confirmed on the Treo 650, 680, and 700p, but now users of the handsets can rest a bit easier after applying this patch. As expected, the update simply disables the Find feature, which essentially closes off the last remaining security loophole and protects prying eyes from seeing that backlog of steamy Valentine's Day texts. So if you're looking to unofficially patch things up with your Palm, be sure to hit the read link and get that install completed, but we're not the ones to come crying to if something goes awry.

[Via PalmInfoCenter]

There are undoubtedly less proprietary ways to go about doing this, but if you're looking for a quick, painless way to get a PC-free camera feed to your phone, a British operation by the name of 3rd-i reckons they have the answer. The concept is simple enough: take your garden-variety video cam, strap on a GPRS modem, and call it good for £199 ($370). Besides accessing live video and up to 30 days of archived footage via pretty much any Java MIDP 1.0- or 2.0-enabled phone, the unit can be set up to immediately text you upon detecting motion. Not bad -- in fact, we'd strongly consider using 3rd-i's cams to secure the Engadgetmobile, but the dual band 900 / 1800 support just doesn't cut it in these parts.

[Via Crowdedbrain]