So if you are a fan of the iPhone and have it all configured & syncd to your Exchange server, I want to pass a word of caution to you.

Firstly, you SHOULD be locking your iPhone with a PIN. Not doing so makes it easy for anyone to look at your emails, contacts and calendar. It’s another layer of defense which costs you nothing. Please use it.

However, I am sad to report that even if you do use it, the current PIN security in iPhone 2.0.2 is flawed. If you have used the “Favorites” feature in the phone, it is possible to break into the phone.

Here are the steps to do so:

1. Press the Home button to wake up the iPhone.
2. Slide to unlock
3. Click the “Emergency Call” button on the bottom left
4. Press the “Home” button two times fast. Your Favorites list will show up.
5. Click on the “>” circle of a contact that has an email address tied to it
6. Hit the email address to create a new email.
7. “Cancel” the new email.
8. You are now in the users Exchange mailbox, without knowing their PIN to unlock the phone.

This seems like a pretty interesting attack vector. I would have never expected the Emergency mode in an iPhone to be used so easily in this way.

Apple is aware of the security hole, and this will be circling around the Internet shortly. So keep those iPhones close until an update is available!!