Apple fixes iPhone passcode bypass flaw server-side, without having to push out an update

Credit where credit is due – Apple cannot be accused of slouching when it comes to fixing a newly publicized vulnerability that could have seen unauthorized parties bypassing the passcode and accessing information from iPhones.

And what’s more, the Cupertino firm was able to fix the flaw without having to push any new software out to the millions of iPhones potentially at risk.

The flaw, present in the latest version 9.3.1 of iOS, made it possible for someone with physical access to your iPhone to gain unauthorized access – waltzing past the passcode and Touch ID fingerprint sensor.

Vulnerability Labs disclosed details of the security hole, explaining the process.

With a locked iPhone, an attacker can command Siri to search an app (such as Twitter). When a result containing contact details – such as an email address – are found, the attacker can use 3D Touch to bring up the Quick Actions Menu, allowing them to add it to an existing contact. And with this, the iPhone’s complete contacts list is exposed.

With a few more clicks, the iPhone’s photo library is accessible too.

Researcher Jose Rodriguez made a YouTube video, demonstrating how easy it was to exploit the vulnerability.

Vulnerability Labs says that it informed Apple’s security team of the flaw on 18 March, but that the flaw was still present when Apple rolled out iOS 9.3.1 on April 4th.

However, it now appears that Apple did not have to change iOS at all in order to fix the security hole.

Instead, the company has made a server-side change, forcing Siri to request that the iPhone is unlocked (through a recognized fingerprint or passcode) when searches that could result in the flaw being exploited are requested.

Nonetheless, there have been too many passcode bypass flaws found in iOS over the years for my liking.

If you worry that your supposedly locked iPhone might be vulnerable to future flaws then it seems to me that you can increase your security by permanently disabling Siri from the lock screen.

To do that, go to Settings / Touch ID & Passcode, scroll down to the “Allow access when locked” section and disable Siri.

An obvious question is could this vulnerability have helped the authorities in the recent FBI vs Apple case?

Personally, I think that’s unlikely.

The iPhone at the center of the San Bernardino case was an iPhone 5C. The vulnerability that Apple has just patched only works on devices which include support for 3D touch – in other words, the iPhone 6S and iPhone 6S Plus.

Via: tripwire

Save pagePDF pageEmail pagePrint page

Leave a Reply

Your email address will not be published. Required fields are marked *