At the 16th of September Apple released its new version of the mobile operating system iOS 9. As several versions before, this new iteration suffers from a weakness that makes it possible to bypass the lockscreen without entering the respective PIN code. Exploiting this flaw requires Siri to be enabled and phyiscal access to the phone. A successful exploitation results in a major loss of confidentiality as all photos and contacts in the phonebook can be accessed by the attacker. The following steps lead to the lockscreen bypass:
- Wake the iOS device up by pressing the lock button and enter an incorrect passcode four times.
- For the fifth time, enter 3 (or 5) digits (one less than the length of the passcode), and for the last one, press and hold the Home button to invoke Siri immediately followed by the 4th digit.
- When the Siri screen appears, ask her for the time.
- Click on the clock icon and add a new clock. Write any characters in the city field that appears then.
- Double click on the characters you wrote to invoke the copy-paste menu, select all, then click on “Share” and choose the “Message” icon in the Share context.
- At this point all contacts within the phonebook can be bruteforced. Typing in the character “a” will display all contacts beginning with or containing the letter a.
- Now again type some random characters in the “To” field of the messages app, hit Return and double click on the green contact name on the top.
- Select “Create New Contact,” and click on “Add Photo” and then on “Choose Photo”.
- You will now be able to see the entire photo library, without typing in the passcode.
I captured a short video where you can see how it works:
Users can protect their iPhones by disabling Siri or by using a password instead of a passcode as the new update for iOS 9 (9.0.1) does not fix this issue.
Incidents like these have to be taken into account when performing a risk assessment as for corporate use of smartphones.
Happy hacking ?