The owners of two Apple-dedicated YouTube channels, EverythingApplePro and iDeviceHelp, have found a flaw in the iOS passcode device protection system that allows an attacker to access the device’s data, such as photos and messages.
The bug they found is only exploitable with physical access to the device and if the user has Siri enabled.
The reason Siri needs to be enabled is to allow the attacker to query the iPhone or iPad’s phone number by asking the “Who am I?” question. If the attacker knows this detail he can just call the phone number or initiate a Facetime video call.
It doesn’t matter if the user is using a 4-digit, six-digit, or Touch ID locking system. When the user’s device receives the call, it will prompt the user to answer the call.
The attacker only needs to press the Message icon to respond with an SMS. Despite being locked, the New Message screen pops up.
At this point, the attacker needs to use Siri again, and tell it to “Turn on Voice Over.” For some reason, the bug is only exploitable with this feature turned on.
The next step requires a little bit of dexterity. The attacker needs to double tab the field where he’s suppose to enter the recipient’s name, while quickly taping on a random key on the keyboard. This might take several tries.
If successful, the attacker would then be allowed to write in the “To” field of the SMS message, something that shouldn’t be permitted, since the message was supposed to go to the person who previously called the device.
Because the attacker managed to access that field, he’s now able to peruse through the victim’s address book.
Siri’s voice over can now be turned off, because it’s not needed anymore and it becomes annoying. This can be done with the “Turn off VoiceOver” command.
While searching the victim’s contacts list, the attacker must find an entry that’s marked with the “ⓘ” icon to the right. Users must tap this icon and then tap the button to create a new contact.
While creating a new contact, an attacker can add a photo. This option allows the attacker to sift through the target’s photo gallery, remind you, while the phone has been locked.
Two videos from EverythingApplePro and iDeviceHelp are available below detailing the exact passcode bypass procedure.
The two YouTubers say the bug affects all iPhones and iPads running iOS 8 and higher, including the latest iOS release.
EverythingApplePro promised to release a new video after Apple fixes the bug in which he shows how someone could escalate the bug and gain access to the user’s contacts and home screen.