Passcode Bypass Bugs Trouble iOS 9.1 and Later

Apple has yet to patch a series of bypass vulnerabilities in iOS that could let an attacker sidestep the passcode authorization screen on iPhones and iPads.

Apple has yet to patch a series of bypass vulnerabilities in iOS that could enable an attacker to sidestep the passcode authorization screen on iPhones and iPads running iOS 9.0, 9.1, and the most recent build of the mobile operating system, 9.2.1.

Like all passcode bypass bugs, an attacker would have to have the device in their possession to carry out the attack, but that’s not a valid excuse for not fixing the vulnerabilities, researchers say.

The bugs can be used to access apps native to iOS, such as Clock, Event Calendar, and Siri’s User Interface, and that’s been the case for at least three months, according to Benjamin Kunz Mejri, a researcher at Vulnerability Lab, who divulged details on them Monday.

“The issue is not fixed after a three-month duration. We have the newest versions of iPad and iPhone and are still able to reproduce it after the updates with default configuration,” Mejri told Threatpost Monday.

For all of the work that’s been done to prevent the intrusiveness of Siri, the culprit behind several previous passcode bugs, each of the vulnerabilities can actually be triggered via the company’s voice-activated personal assistant, Siri.

Mejri broke down several attack vectors in a write up of the bugs the company’s site Monday morning, all which rely on an internal browser link request to skip the passcode screen.

In one, an attacker could request Siri to open an app that doesn’t exist. In turn Siri opens a restricted browser window to the App Store, and from there the attacker apparently could switch back to the home screen, either via the home button, or via Siri, without further authorization.

An attacker could also use Siri to open either the Clock or the Event Calendar app to exploit the bugs.

Another vector, the Clock app, gives users the option to buy alarm tones and when prompted, open a browser window, which lists some apps. At this point a user could navigate to another part of the phone, Mejri claims.

Both the Clock and the Event Calendar apps allow users to open links to the Weather Channel’s app, which if the user hadn’t installed it, would in the App Store. From there an attacker could simply jump back to the home screen as well, Mejri writes.

According to Vulnerability Lab, who disclosed the issue to the Apple’s Product Security Team shortly after the New Year, the company acknowledged the issue, but had no further conversation with the researchers, citing its internal security and company policy.

It’s unclear exactly when or if Apple, which did not immediately respond to a request for comment on Monday, will address the issue.

There’s a chance the company, deep in the throes of a much publicized battle with the F.B.I. surrounding encryption, could fix the bugs when it releases iOS 9.3 later this spring.

Unlike the phone the F.B.I. is trying to get into, the vulnerabilities Mejri dug up are only present in more recent devices like the iPhone 5, 5s, 6 and 6S, and the iPad Mini, 1 and 2.

Suggested articles

Discussion

  • Dan on

    Didn't this get proven as a hoax? It's just someone fingerprint reading themselves to unlock the functionality of the phone while using Siri?
    • Chris Brook on

      This research is separate. Looks like they posted a new video where they delete the fingerprint from the phone and are still able to carry out the attack. https://www.youtube.com/watch?v=p1X70xUDxjg&feature=youtu.be&a That said, I'm having a tough time replicating.
  • richardw on

    If you use your TouchID registered finger to activate Siri you have unlocked the phone with TouchID. Once you do this Siri will link through to other parts of the device etc. because the phone has now been unlocked by TouchID. If you try these same tests with a finger not registered to TouchID the phone does not unlock and a passcode is requested to link through, or the features are limited. All these examples show is that TouchID works in a fairly transparent manner to the user. None of these are actual vulnerabilities. Same goes for the message copy/paste scenario - in that case iif you haven't unlocked the device with TouchID the paste & share options are not presented and there is therefore no risk.
    • Chris Brook on

      This research is separate. Looks like they posted a new video where they delete the fingerprint from the phone and are still able to carry out the attack. https://www.youtube.com/watch?v=p1X70xUDxjg&feature=youtu.be&a That said, I'm having a tough time replicating.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.