IOS 9 critical vulnerability allows you to bypass the lock screen using Siri voice assistant

Security researcher VIdeosdebarraquito posted a video on YouTube demonstrating how to bypass the iPhone 6S and 6S Plus lock screen using the Siri voice assistant and 3D Touch. Since the 3D Touch pressure recognition mechanism is present only in these devices, it is they who are vulnerable.

Any person who has physical access to the device can get access to the personal data of its owner, including photos and a list of contacts. The vulnerability is present in iOS 9.2 and later versions, including the latest release of iOS 9.3.1.
')

How it works

On a locked device, you must call Siri (either holding down the Home button or using the “Hi, Siri” function). Next you should ask the voice assistant to find on Facebook or Twitter any popular email domain.

When Siri finds a message with a valid email address, you need to press it hard, and thanks to 3D Touch technology, a context menu will appear on the screen. In the menu, select the “Create a new contact” option and click on “Add photo”, after which you will have access to the photos stored on the device.

How to protect

In order to protect themselves, the owners of the iPhone 6S and 6S Plus smartphones should disable access to Siri from the lock screen (for this you need to select “Touch ID and password” in Settings) and deactivate Siri in the section “Screen lock access”.

In addition, according to media reports, Apple fixed this vulnerability - on the morning of April 6, many users could no longer exploit it.

It would seem, what does the FBI have to do with it?

In recent months, Apple’s conflict with the FBI has been widely discussed - the intelligence agency asked the company to provide a tool to gain access to the locked iPhone data. It was reported that this is required to investigate the terrorist attack in the city of San Bernardino - one of the attackers used the iPhone 5C, which, according to the FBI, can contain valuable data. However, the device is locked, and the protection mechanism works in such a way that after several unsuccessful attempts to guess the password, all data is erased.

Apple chief executive Tim Cook has officially refused to provide security services with a blocking bypass tool. After that, the FBI filed a lawsuit against the company, but then the lawsuit was withdrawn, and security officials said they could unlock the smartphone without the help of Apple.

At the moment it is not known exactly how the Bureau managed to do this. Among the versions put forward by security experts, who were interviewed by journalists, were the use of memory mirroring techniques, the use of SecureROM , an unknown bug to the general public, and the use of software that exploits a vulnerability that bypasses the lock screen (a similar vulnerability, for example, allowed access to images in iMessage encrypted chats on iOS 9 and iOS 9.3).

Other ways to bypass smartphone screen lock

The described method is not the only one that allows you to bypass the screen lock in iOS using Siri. For example, in the fall of 2015, a material was published on Habré with a description of the screen lock screen bypass - to do this, you first need to repeatedly enter the password and then activate the voice assistant. The whole algorithm sounds like this:

To do this, use the repeated input of the wrong password, and then request the voice assistant to clarify the time.

After Siri reports the exact time, you need to click on the “Clock” application icon and adjust the time zone. These manipulations can lead to the list of contacts, where it will be possible to add a new entry: for it, you will be asked to choose an avatar. These actions allow you not only to see the entire notebook, but also all the pictures stored on your phone.



Shortly before, a similar vulnerability was found in Android. Then, University of Texas researcher John Gordon said that the lock screen device on Android 5.0 and above can be circumvented by entering a very long set of numbers. He called the restart of the field for emergency calls, after which the password entry activated the camera of the phone, which gave access to the entire system.



In March 2016, researchers at Vulnerability Lab published a description of Siri lock screen bypass, as well as event calendar and clock applications for iPhone models 5, 5S, 6 and 6S, as well as iPad models Mini, 1 and 2 running iOS 9 versions 9.0 , 9.1 and 9.2.1.

The published video described four ways to bypass the lock. In the first one, the attacker launches Siri and asks the helper to open a nonexistent application. In this case, Siri says that there is no such application, but it can help “find it in the App Store”. Activating the App Store button opens a new restricted browser window, which can be used, for example, to launch the last used application. Similarly, it is possible to bypass the lock screen, if you ask Siri to start the clock - manipulations with this window can also open the restricted browser window.



Another popular way to bypass the lock screen in iOS and Android is to use the emergency call feature, which remains available even when the screen is locked. On the network, you can find a description of various manipulations that allow you to unlock the possibility of making calls and sending messages. For example, here is a guide for iOS 6 , and the video below shows how to bypass the lock on a Samsung smartphone (a detailed description is here ):