September 23, 2015 by

iOS 9 Bug Allows Hackers to Bypass Lockscreen

 An independent security researcher has discovered a significant security flaw in iOS 9, Apple’s latest version of its mobile operating system. With a proof-of-concept video, the researcher shows that a simple bug allows anyone with physical access to an iPhone to bypass the lock screen and gain unrestricted access to the Phone’s photos and contacts.

Jose Rodriguez, a security researcher, has uncovered a security flaw in iOS 9 that allows anyone with access to a locked Apple device to gain complete access to the phone’s contacts and photos.

The flaw, seemingly discovered after Apple’s update of iOS 9 with the 9.0.1 update might mean that updated devices on the latest version of the operating system might still be vulnerable to the simple hack.

The hack, as demonstrated by Rodriguez can be seen here:

Here’s how the hack works:

  • Despite entering an incorrect PIN multiple times, Rodriguez asks Siri, the iPhone assistant for the time.
  • When the time is displayed, Rodriguez was able to use the ‘Search’ and the ‘Share’ functions built-in to the iOS clock feature.
  • When using these functions, he was able to access the iPhone’s contact list, message folder and the photos via the share screen, all of which were seen without ever entering the correct PIN.

Related article: Apple Claims Better Security with iOS 9, Gets Hacked before Its Release

As it stands, the hack is currently applicable to devices protected by four or six-digit passcodes specifically. Alphanumeric passwords and Touch ID security are not susceptible to the hack.

Until Apple issues a fix to the patch the bug, users are advised to disable Siri’s lock screen access. Alternatively, setting up an alphanumeric passcode instead of a numbered passcode is recommended.

DOWNLOAD A FREE WHITEPAPER: Threat Centric Identity and Access Management

Users can disable Siri operating on the lock screen by accessing:

Settings —– > Touch ID & Passcode and deactivating Siri by looking into “Allow access when locked”.

It has to be reiterated that although the bug isn’t granting anyone complete access to all the phone’s features, it’s enough of a vulnerability when sensitive data such as photos and the user’s contact information of friends and family can be easily accessed with a simple bypass.


About the author

Image of Author

LIFARS is a digital forensics and cybersecurity intelligence firm based in New York City. LIFARS is ranked as one of the top Digital Forensics and Cyber Investigations companies in 2016 and as one of the top cybersecurity companies in the New York metropolitan area for 2015 on the Cybersecurity 500 – a directory of the hottest and most innovative companies to watch in the cybersecurity industry.

Related articles

New Ransomware ‘Spider’ Threatens Wipeout in 96 Hours

A new strain of ransomware discovered by security researchers encrypts files and gives victims a...

Read more arrow_forward

Security Researchers Discover Trove of 1.4 Billion Credentials

Security researchers at dark web monitoring firm 4iQ have stumbled upon a massive 41GB data file of...

Read more arrow_forward

Gartner Research: Cybersecurity Spending to Hit $96 Billion in 2018

Gartner has predicted worldwide security spending to increase by 8% in 2018 to hit a staggering $96...

Read more arrow_forward