September 23, 2015 by

iOS 9 Bug Allows Hackers to Bypass Lockscreen

 An independent security researcher has discovered a significant security flaw in iOS 9, Apple’s latest version of its mobile operating system. With a proof-of-concept video, the researcher shows that a simple bug allows anyone with physical access to an iPhone to bypass the lock screen and gain unrestricted access to the Phone’s photos and contacts.

Jose Rodriguez, a security researcher, has uncovered a security flaw in iOS 9 that allows anyone with access to a locked Apple device to gain complete access to the phone’s contacts and photos.

The flaw, seemingly discovered after Apple’s update of iOS 9 with the 9.0.1 update might mean that updated devices on the latest version of the operating system might still be vulnerable to the simple hack.

The hack, as demonstrated by Rodriguez can be seen here:

Here’s how the hack works:

  • Despite entering an incorrect PIN multiple times, Rodriguez asks Siri, the iPhone assistant for the time.
  • When the time is displayed, Rodriguez was able to use the ‘Search’ and the ‘Share’ functions built-in to the iOS clock feature.
  • When using these functions, he was able to access the iPhone’s contact list, message folder and the photos via the share screen, all of which were seen without ever entering the correct PIN.

Related article: Apple Claims Better Security with iOS 9, Gets Hacked before Its Release

As it stands, the hack is currently applicable to devices protected by four or six-digit passcodes specifically. Alphanumeric passwords and Touch ID security are not susceptible to the hack.

Until Apple issues a fix to the patch the bug, users are advised to disable Siri’s lock screen access. Alternatively, setting up an alphanumeric passcode instead of a numbered passcode is recommended.

DOWNLOAD A FREE WHITEPAPER: Threat Centric Identity and Access Management

Users can disable Siri operating on the lock screen by accessing:

Settings —– > Touch ID & Passcode and deactivating Siri by looking into “Allow access when locked”.

It has to be reiterated that although the bug isn’t granting anyone complete access to all the phone’s features, it’s enough of a vulnerability when sensitive data such as photos and the user’s contact information of friends and family can be easily accessed with a simple bypass.


About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Netflix Launches Public Bug Bounty Program

Streaming giant Netflix has announced the launch of a public bug bounty program designed to allow...

Read more arrow_forward

15-Year-Old Hacks Ledger Hardware Cryptocurrency Wallet

A teenage hacker has discovered a flaw in Ledger, a popular hardware wallet that could essentially...

Read more arrow_forward

Expedia’s Orbitz: 880,000 Payment Cards Struck by Data Breach

Orbitz, a subsidiary of online travel giant Expedia has revealed a data breach wherein hackers may...

Read more arrow_forward