Bypassing passcode on iPhone turns out to be a hoax – update

Spread the love

A report from a Vulnerability Labs “investigation” that it might be possible to access an iPhone or iPad by exploiting vulnerabilities in links from the clock events calendar or Siri interface has been found to be false.

For the sake of completeness, the article is still below:

Several vulnerabilities have been discovered in iOS 9.0, 9.1, and 9.2.1. With physical access to an iPhone or iPad, it is possible to bypass the passcode by exploiting vulnerabilities in links from the clock, events calendar or Siri interface

A patch for the vulnerabilities is not available to date. According to the discoverer of the vulnerability, Vulnerability Lab, Apple was already informed on January 3, but nothing has been done with the information so far. It was therefore decided to publish the vulnerabilities on Monday 7 March.

By using links to the App Store, Buy More Tones or Weather Channel from the clock, calendar or Siri interface, an internal browser link can be requested that makes it possible to bypass the passcode or fingerprint scan. Bypassing access protection is possible if the phone’s default settings have not been modified.

Vulnerability Lab worked out four different scenarios to bypass the passcode. In the first scenario, the attacker requests a non-existent app via Siri. Then Siri replies with a link to the App Store to search for it. Then a limited browser screen opens with some apps that match the search. At that point it is possible to switch to the internal home screen by doing something with the home button or with Siri. The link to enter the phone is in Siri’s interface and says “Open App Store”. This works on iPhones 5 and 6 with all 9.x iOS versions, according to the researchers.

Two of the four attack options work on the iPhone and two on the iPad. That’s because the iPad’s screen is larger and therefore displays some things differently. It is not known when Apple will come up with a fix for the problem. To be safer with an iPhone 5 or 6 or an iPad mini, 1 or 2, the researchers recommend disabling the Siri module, the events calendar and the public control panel. The settings of the Weather app also need to be adjusted.

All scenarios and steps to address the issues can be found on the Vulnerability Lab site.

Update 18.27: The method only works if the user activates Siri with a finger already registered with Touch ID, Mac Rumors reports. Running the process without a pre-entered fingerprint will not open the iTunes store. Therefore, the Vulnerability Labs report appears to be a false alarm.

Update 2: To avoid further confusion, the title “iPhone passcode to be bypassed via iOS leak – update” has been changed to “iPhone passcode bypass turns out to be hoax – update”

You might also like
Exit mobile version