November 18, 2016 by

Alert: iPhone Passcode Can Be Bypassed to Access User Media

Despite Touch ID’s implementation, the Apple iPhone’s passcode has proven to be vulnerable, with a proof-of-concept demonstrating that the security feature can be bypassed to access the user’s photos and messages.

A significant security flaw has been discovered in iOS versions 8 and above wherein anyone can bypass iPhone’s passcode and gain access to a user’s media and personal information via Apple’s assistant Siri.

Discovered by EverythingApplePro and iDeviceHelps, a video demonstration showcases the exploit which is simply triggered with the knowledge of the target iPhone user’s mobile number.

Siri even makes it easier for an attacker to ascertain the target’s phone number. A simple “Who am I?” will enable Siri to respond in kind, with the phone’s number.

The Hack

The process toward the iPhone exploit is relatively straightforward and simple, scarcely requiring the cryptographic skills of a seasoned hacker. The hack is triggered with a phone call made toward the target’s iPhone. A FaceTime call will also aid the hack.

When you receive that phone call on the target’s phone, click on the message icon before choosing ‘custom message’. This will take you to a new message screen where you can craft a custom response. Here, press and hold the Home button to enable Siri. Give the command “Turn on Voice Over” and Siri will follow your command by enabling it.

Next, go back to the message screen and double tap the bar where the caller’s name needs to be entered. While holding it, immediately click the keyboard down below. Give it a few tries if you do not see any activity.

Soon enough, you will see a slide-in bar above the keyboard. With that as your cue, ask Siri to “Turn off VoiceOver” before coming back to the message box. Here, proceed to type the first letter of a caller’s name with the ‘I’ or information icon next to it. Now, select that contact and you will be able to look at the phone’s photo gallery, even though the phone is still, fundamentally, locked.

While Apple is no doubt working on a fix for the exploit, users are advised to disable Siri on the Lockscreen by going to Settings à Touch ID & Passcode before ‘Disable Siri on the lockscreen’.

The entire video of the hack can be seen below:

Image credit: Pexels.

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Apple Partners Allianz to Offer CyberCrime Insurance Perks

A new partnership between Apple, Cisco and insurance firm Allianz SE will see businesses using...

Read more arrow_forward

Happy New Year: Researcher Drops MacOS Zero-Day Root Access Kernel Exploit

To ring in the new year, a security researcher on New Year’s Day disclosed an unpatched security...

Read more arrow_forward

Apple Pushes Update to Fix Major Mac OS Vulnerability

Apple has issued an emergency patch after admitting to a major security flaw that enabled anyone to...

Read more arrow_forward