New iOS Version – New Lockscreen Bypass

At the 16th of September Apple released its new version of the mobile operating system iOS 9. As several versions before, this new iteration suffers from a weakness that makes it possible to bypass the lockscreen without entering the respective PIN code. Exploiting this flaw requires Siri to be enabled and phyiscal access to the phone. A successful exploitation results in a major loss of confidentiality as all photos and contacts in the phonebook can be accessed by the attacker. The following steps lead to the lockscreen bypass:

  • Wake the iOS device up by pressing the lock button and enter an incorrect passcode four times.
  • For the fifth time, enter 3 (or 5) digits (one less than the length of the passcode), and for the last one, press and hold the Home button to invoke Siri immediately followed by the 4th digit.
  • When the Siri screen appears, ask her for the time.
  • Click on the clock icon and add a new clock. Write any characters in the city field that appears then.
  • Double click on the characters you wrote to invoke the copy-paste menu, select all, then click on “Share” and choose the “Message” icon in the Share context.
  • At this point all contacts within the phonebook can be bruteforced. Typing in the character “a” will display all contacts beginning with or containing the letter a.
  • Now again type some random characters in the “To” field of the messages app, hit Return and double click on the green contact name on the top.
  • Select “Create New Contact,” and click on “Add Photo” and then on “Choose Photo”.
  • You will now be able to see the entire photo library, without typing in the passcode.

I captured a short video where you can see how it works:

This is at least the fourth time that Apples iOS suffers from a flaw that makes it possible to bypass the screenlock. The first three flaws are described here, here and here.

Users can protect their iPhones by disabling Siri or by using a password instead of a passcode as the new update for iOS 9 (9.0.1) does not fix this issue.

Incidents like these have to be taken into account when performing a risk assessment as for corporate use of smartphones.

Happy hacking ?

Leave a Reply

Your email address will not be published. Required fields are marked *