Is it REALLY this simple to bypass the iPhone and iPad lockscreen?

Researchers claim multiple iOS 9 vulnerabilities allow attackers to bypass Apple device’s built-in security – but some are skeptical.

Is it REALLY this simple to bypass the iPhone and iPad lockscreen?

A series of vulnerabilities found in the latest version of Apple's mobile operating system allegedly allow an attacker to bypass the passcode mechanism on an iPhone or iPad, but we have been unable to replicate the exploit.

On Monday, security research firm Vulnerability Laboratory published an advisory in which it provides some context on the alleged security issues:

"The vulnerabilities are located in the 'Appstore', 'Buy more Tones' or 'Weather Channel' links of the Clock, Event Calender & Siri User Interface."

"Local attackers can use Siri, the event calender or the available clock module for an internal browser link request to the appstore that is able to bypass the customers passcode or fingerprint protection mechanism. The attacker can exploit the issue on several ways with siri, the events calender or the clock app of the control panel on default settings to gain unauthorized access to the affected Apple mobile iOS devices."

The advisory claims that the vulnerabilities affect iOS 9.0, 9.1, 9.2.1 for Apple iPhone (5, 5s, 6 and 6s) and the iPad (mini 1 and 2). They are estimated at a "High" severity level and have received a CVSS score of 6.4.

The advisory details four scenarios by which an attacker could exploit the vulnerabilities. In a majority of the cases, the attacker makes use of a Siri request to open an affected non-restricted app, such as the Clock app.

Once the target app has been opened, the attacker clicks on a link that opens a restricted App Store browser window, such as "Buy More Tones" or "App Store." At that point, the attacker then uses Siri or presses the Home button twice to return to the home screen with full access to the device.

A YouTube video claims to demonstrate the exploitation of these vulnerabilities:

We tried to replicate these exploits to see if they really worked.

However, when we tried to do so, we were able to get past the passcode only when we used a finger on the home button that we previously registered with Touch ID. By contrast, when we tried to do it with a finger that we hadn't registered with Touch ID, we couldn't get the App Store button to work. It simply kept prompting for the passcode to be entered or a valid fingerprint to be offered.

News of these vulnerabilities has been making its way around the web.

Such coverage has sparked skepticism in some observers, with Adrian Kingsley-Hughes commenting on ZDNet that the exploits appear to consist of little more than activating Apple's Touch ID fingerprint authentication mechanism while invoking Siri.

Ios 9 We're not the only ones who are starting to have our suspicions about these alleged vulnerabilities.

Adrian Kingsley-Hughes commented on ZDNet that the exploits appear to consist of little more than activating Apple's Touch ID fingerprint authentication mechanism while invoking Siri.

Given our trouble replicating the exploits when using a finger not registered with Touch ID, this could very well be the case. Our suspicion is that the researchers may have been unwittingly unlocking the device with their recognised fingerprint, not realising that if they had used a non-registered finger they might not have succeeded.

So, it appears these vulnerabilities might not constitute true security risks.

But we can draw some lessons from this event nevertheless.

First, if they have not already done so, iOS users should activate Touch ID on their devices and/or should protect their iPhones and iPads with a passcode.

Second, to protect against legitimate Apple bypass vulnerabilities, users should also be careful to never leave their device unattended in a public place. Many passcode bypass exploits require physical access to work. If you are careful about where you leave your phone, attackers won't stand a chance breaking onto your device.

Tags: , , , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , , , ,

8 Responses

  1. Jeo

    March 8, 2016 at 12:26 am #

    Researchers claim? I think not.

  2. The Mole

    March 8, 2016 at 10:34 am #

    Oh no I have a non-registered finger………………….

  3. Phil J

    March 8, 2016 at 10:57 am #

    Someone should tell the FBI

  4. David B.

    March 8, 2016 at 12:29 pm #

    This is well worth a few minutes of your time!

    https://www.youtube.com/watch?v=MG0bAaK7p9s

    In language simple enough for even a child to understand, John McAfee explains for the world and for the FBI how to hack an iPhone or any computer that is in physical custody. No need for network-connected backdoors.

    • Graham Cluley in reply to David B..

      March 8, 2016 at 12:35 pm #

      I'm afraid John McAfee doesn't know what he's talking about.

      Good take-down by Ars Technica here: http://arstechnica.com/security/2016/03/john-mcafee-better-prepare-to-eat-a-shoe-because-he-doesnt-know-how-iphones-work/

      • David B. in reply to Graham Cluley.

        March 8, 2016 at 5:32 pm #

        A great candidate, then, for becoming the next POTUS! ;-)

  5. Kieran

    March 8, 2016 at 4:46 pm #

    Why is this so called vulnerability all over the web when it's not even an exploit in the first place ahahah, Touch ID and registered fingerprints that's all this myth is about

  6. Yasmin

    March 21, 2016 at 3:44 am #

    How does a mere mortal who is locked out of her phone without Siri access get back in? Please someone post a video. Or tell me a. Address where I can mail my phone ?

Leave a Reply