An independent security researcher has discovered a significant security flaw in iOS 9, Apple’s latest version of its mobile operating system. With a proof-of-concept video, the researcher shows that a simple bug allows anyone with physical access to an iPhone to bypass the lock screen and gain unrestricted access to the Phone’s photos and contacts.
Jose Rodriguez, a security researcher, has uncovered a security flaw in iOS 9 that allows anyone with access to a locked Apple device to gain complete access to the phone’s contacts and photos.
The flaw, seemingly discovered after Apple’s update of iOS 9 with the 9.0.1 update might mean that updated devices on the latest version of the operating system might still be vulnerable to the simple hack.
The hack, as demonstrated by Rodriguez can be seen here:
Here’s how the hack works:
- Despite entering an incorrect PIN multiple times, Rodriguez asks Siri, the iPhone assistant for the time.
- When the time is displayed, Rodriguez was able to use the ‘Search’ and the ‘Share’ functions built-in to the iOS clock feature.
- When using these functions, he was able to access the iPhone’s contact list, message folder and the photos via the share screen, all of which were seen without ever entering the correct PIN.
As it stands, the hack is currently applicable to devices protected by four or six-digit passcodes specifically. Alphanumeric passwords and Touch ID security are not susceptible to the hack.
Until Apple issues a fix to the patch the bug, users are advised to disable Siri’s lock screen access. Alternatively, setting up an alphanumeric passcode instead of a numbered passcode is recommended.
DOWNLOAD A FREE WHITEPAPER: Threat Centric Identity and Access Management
Users can disable Siri operating on the lock screen by accessing:
Settings —– > Touch ID & Passcode and deactivating Siri by looking into “Allow access when locked”.
It has to be reiterated that although the bug isn’t granting anyone complete access to all the phone’s features, it’s enough of a vulnerability when sensitive data such as photos and the user’s contact information of friends and family can be easily accessed with a simple bypass.