Security bods disclose lock bypass bug in iOS

Let the wild speculation about just how the FBI cracked San Bernardino killer's phone begin

Updated In a release that's bound to spark all sorts of speculation, Vulnerability Labs disclosed an iOS touch passcode bypass.

Apple has pushed a fix on the server side, as noted at the end of this story.

In late March, Johns Hopkins University's professor Matthew Green said a bypass existed, but withheld details pending Apple's patch.

This may or may not refer to the same issue: Vulnerability Labs says the bug is present in iOS 9.3.1 (as well as 9.2.1), even after Cupertino's April 4 2016 update. The group says it notified Apple of the issue on March 18.

Here's what the researchers, led by Benjamin Kunz Mejri, who presented at Full Disclosure on April 5, found: some installed applications allow interactions without demanding a passcode. Example applications listed in the advisory include Yahoo!, Twitter or Facebook.

On a locked phone, the attacker can use Siri to search through the target application; that search shows an @ tag in the slide preview, the advisory says, and pushing the @ tag button makes the basic context menu available.

If the attacker then chooses an action such as “add contact”, Vulnerability Lab says, and then navigates to add a picture to the contact, they end up with “access to the photo album of the apple device without secure auth”. They can then exploit the contact they've created to access the mailbox, again without authorisation.

Adding an email to the contact will allow access to the iPhone's address book, the advisory adds.

As a temporary fix, users should disable Siri and deny the app access to pictures and the address book.

And in the long term? This flaw has obvious overlaps with United States' authorities interest in iPhones' innards, which the FBI says it sated with the help of a Japanese firm. Or did it? ®

Updated to add

Thanks to the commentard who alerted us to Apple's fix for the issue. Siri now demands your lock screen passcode, if someone tries to ask Siri for a search, while at a secured Lock screen.

As 9to5Mac notes, implementing the fix at the server side allowed Cupertino to move fast on blocking the vulnerability. ®


Biting the hand that feeds IT © 1998–2017