How to bypass Apple Passcode in 9.1 and later

A number of bypass vulnerabilities still affect iOS devices and could be exploited by an attacker to bypass the passcode authorization screen.

A number of bypass vulnerabilities still affect iOS devices and could be exploited by an attacker to bypass the passcode authorization screen on Apple mobile devices (iPhones and iPads) running iOS 9.0, 9.1, and the recent 9.2.1.

According to Benjamin Kunz Mejri, a researcher at Vulnerability Lab, this category of security holes can be exploited to access apps native to iOS, such as Clock, Event Calendar, and Siri’s User Interface.

In February, Benjamin Kunz Mejri discovered an authentication bypass-sized hole in both iPhones and iPads running iOS 8 and iOS 9 that can be exploited by attackers to thwart lock screen passcode.

“An application update loop that results in a pass code bypass vulnerability has been discovered in the official Apple iOS (iPhone5&6|iPad2) v8.x, v9.0, v9.1 & v9.2. The security vulnerability allows local attackers to bypass pass code lock protection of the apple iphone via an application update loop issue. The issue affects the device security when processing to request a local update by an installed mobile ios web-application.” states the technical description published by the vulnerability-lab.com.

The attacker can bring the iOS devices into an unlimited loop resulting in a temporarily deactivate of the pass code lock screen.

The real problem is that they are underestimated by manufacturers because the attack request the physical presence of the attackers which have to be in possession of the device, in the specific case the flaw is still present after it was reported three months ago (2016-01-03: Researcher Notification & Coordination (Benjamin Kunz Mejri – Evolution Security GmbH))

“The issue is not fixed after a three-month duration. We have the newest versions of iPad and iPhone and are still able to reproduce it after the updates with default configuration,” Mejri told Threatpost Monday.

This time Mejri described a number of attack vectors relying on an internal browser link request to skip the passcode screen.

In a first scenario, an attacker could request Siri to open an app that doesn’t exist, at this point Siri will open a restricted browser window to the App Store, but from there the attacker could switch back to the home screen, either via the home button, or via Siri.

In the second scenario the attacker is using the control panel to gain access to the non restricted clock app. The attacker opens the app via siri or via panel and opens then the timer to the end timer or Radar module. The app allows users to buy more sounds for alerts and implemented a link, but if the attacker pushes the link a restricted app store browser window opens. At that point we are in the same situation of the first attack vector.

In the third scenario, the attacker opens via panel or by a Siri request the clock app. The internal world clock module includes in the bottom right is a link to the weather channel that redirects users to the store as far as its deactivated. By pushing the link also in this case a restricted appstore browser window opens.

“At that point it is possible to unauthorized switch back to the internal home screen by interaction with the home button or with siri again. The link to bypass the controls becomes visible in the World Clock (Weather Channel) and is an image as link. Thus special case is limited to the iPad because only in that models use to display the web world map. In the iPhone version the bug does not exist because the map is not displayed because of using a limited template. The vulnerability is exploitable in the Apple iPad2 with iOS v9.0, v9.1 & v9.2.1.” wrote Mejri.

In the fourth scenario the attacker opens via Siri the ‘App & Event Calender’ panel, then he opens under the Tomorrow task the ‘Information of Weather’ (Informationen zum Wetter – Weather Channel LLC) link on the left bottom. The weather app is deactivated on the Apple iOS device, a new browser window opens to the AppStore, at that point we are in the same scenario seen in the other point.

It’s unclear when Apple will fix the issues. it is possible that the flaws will be solved with the iOS 9.3.

Pierluigi Paganini

(Security Affairs – iOS, Siri)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.