PIN screen can be easily bypassed on WP 8.1

[dariohead]

Hi everyone!

I looked for a similar topic but couldn't find one, so I hope this one is not a duplicate question...

I recently noticed one VERY STRANGE thing from the security pointview, on my Lumia 925 running official WP 8.1 Cyan update.

When I turn on the phone and I am asked to enter a PIN, if I click the back button, I enter my phone's interface normally. Yes, of course, the phone is not connected to a carrier, but I can do with it whatever I want, connect to a wi-fi and see EVERYTHING there is on it, all the data and connected accounts.

NOW - is this a normal Windows Phone behaviour or?? Because, sorry, but if I have a PIN setup - every phone should simply NOT work until this PIN is entered - don't you agree? Because PIN is not only about protecting your SIM card, but the phone as well.

Am I missing something or is this a super huge security hole?

 

[micallan_17]

Tried it on my 830 with Denim, update 2 and it doesn't do that

 

[dariohead]

I am sorry, I am also on Denim, not Cyan! I just tried again, and it's just as described in my original post. I can do EVERYTHING with my phone except make calls and write SMS. :O

 

[Pete]

You're probably missing something. Without seeing what's going on, it's difficult to tell you what's happening.

Pressing the back button in the pin screen will always take you back to the lock screen.

 

[dariohead]

OK, so one important thing to note here:
- I am not talking about the Lock Screen Password protection
- I mean the SIM card PIN

So, it is normal that if you do not use the "Lock Screen Password" and someone steals your phone, they can simply bypass the SIM card's PIN and access your phone, emails, accounts...?

 

[dariohead]

I recorded a short video demonstration of this:
- https://sendvid.com/ugomlx2y

Sorry, it loads a bit slowly, but I don't know of better/quicker ways to share a video.

 

[Pete]

Ok, so that's the important part that you didn't point out.

The SIM PIN protects your SIM, not your phone.

This means that someone can't take the SIM out of your phone and use it in another without knowing the PIN. It doesn't lock the other aspects of your handset.

 

[dariohead]

And you don't find that problematic? Is this how it also works with other mobile OS-es, iOS, Android?

I remember that on whatever previous phones I have (this is my first WP one), if you didn't know the SIM PIN you didn't get into the phone - period.

 

[Lee Power]

SIM pin protects the sim card. If you want to also protect the phone, set a phone lock pin. My Lumia 930 starts up & asks for sim pin, once pin entered it goes to phone idle / lock screen & requires phone pin before allowing access. If phone is locked & connected via usb lead to a computer, it will not allow connection until the phone pin is entered, once that is done the phone will communicate with pc even if the lock screen times out & relocks the handset until its disconnected from the usb lead.

 

[dariohead]

OK fair enough... but phone lock PIN needs to be entered every time you turn on your screen, right? Any way to ask for this PIN only at the phone startup?

 

[Pete]

It works like this for Apple as well

https://support.apple.com/en-us/HT201529

Note how it only says you won't be able to access cellular services without the SIM PIN. It doesn't do anything to imply that the rest of the phone is also locked off.

 

[Krystianpants]

And you don't find that problematic? Is this how it also works with other mobile OS-es, iOS, Android?

I remember that on whatever previous phones I have (this is my first WP one), if you didn't know the SIM PIN you didn't get into the phone - period.

Yes it works the same. The sim pin is entered on first use.

 

[dariohead]

You are right yes... I still think it would be a great option to allow this kind of security... Something like a simple switch:
"Don't allow phone usage without SIM (PIN)".

Or am I too old-school?

 

[kaantantr]

SIM PIN and your device password are two different things. as others mentioned, SIM PIN protects whats inside your SIM card.
Your device password, wheter it is a computer password or a simple smartphone PIN protects whats inside your device. Usually people set both up when having a smartphone (SIM PIN is obligatory anyway and they set up one for their lockscreen to protect their phones)

 

[Lee Power]

It doesn't take long to enter the phone pin when you pick the phone up to use it. Id rather have my phone protected by its pin at all times while not in use.

 

[dariohead]

OK, get it! Thanks guys!

For me personally, I am looking forward to the Iris scan, to use it without having to enter PIN every single time. If it'll work "as advertised", it will be a really nifty feature!

 

[Lee Power]

Even using Hey Cortana when my L930 is locked can trigger a phone pin request depending on what ive asked Cortana to actually do.

 

[TechnoReact-Site]

OK, so one important thing to note here:
- I am not talking about the Lock Screen Password protection
- I mean the SIM card PIN

So, it is normal that if you do not use the "Lock Screen Password" and someone steals your phone, they can simply bypass the SIM card's PIN and access your phone, emails, accounts...?

yes its normal. It is behaving the way it should. You have lock screen password to protect your phone.

 

[Rose640]

You are right yes... I still think it would be a great option to allow this kind of security... Something like a simple switch:
"Don't allow phone usage without SIM (PIN)".

Or am I too old-school?

No you're not too old school, i find that weird too. On my old phone when you didn't know the SIM pin, you wouldn't be able to acces the phone. Goog thing i saw this. Gonna set the lock screen pw right away.

 

[SamJHannan]

OK fair enough... but phone lock PIN needs to be entered every time you turn on your screen, right? Any way to ask for this PIN only at the phone startup?

Not exactly what you're asking, but I have mine set to only ask if the phone has been inactive for 30 minutes, so it's not a huge hassle entering it every time.