How to easily bypass iPhone 6s Lockscreen to access to Photos and Contacts

Pierluigi Paganini April 06, 2016

iPhone 6s and 6s Plus running the latest iOS version are plagued by a vulnerability that can be exploited to bypass the lockscreen.

Another flaw plagues the new Apple iPhone 6s and 6s Plus, this time the mobile devices are affected by a Lockscreen Bypass vulnerability that could be exploited by local attackers to access photos, sms, mms, emails, phone app, mailbox, phone settings or access to other default/installed mobile apps.

The vulnerability was discovered by the security firm Vulnerability Lab which reported the issue to Apple in mid-March, but it decided to disclose it last week after the release of the iOS 9.3.1 that hasn’t fixed the problem.

iphone 6s 3d touch

 

We have read about similar flaws in the past, also in this case the attackers can access data stored on a locked iPhone 6s by using Siri (Speech Interpretation and Recognition Interface) assistant. The attacker can use Siri to conduct an online search for email addresses via Twitter or other mobile app installed on the iPhone 6s, in this way he can bring up a context menu by pressing deeper on one of the email addresses returned by the query.

At this point, the iOS shows a menu that could be used by the attacker to create or update contacts by accessing the entire list of contacts stored on the iPhone 6s. At this point, the attacker can add a photo to that contact by accessing it, a trick that gives it the access to the photos stored in the device.

“A passcode bypass vulnerability has been discovered in the official Apple iOS v9.3.1 for iPhone 6S & iPhone Plus models. The vulnerability allows local attackers to bypass the physical device protection mechanism of the iphone 6s and plus models.” state the advisory published by the Vulnerability Lab. “The security risk of the passcode bypass vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.1.”

What happens if the attacker search for an email address that already exists in the contact list?

No problem, the attacker can access options that allow him to send SMS messages and emails anyway.

Below a video PoC of the hack:

The above bypass technique only works on iPhone 6s and 6s Plus phones because it relies on the recently introduced 3D Touch feature which allows users to access various functions of the iPhone with a pressure on the display.

Waiting for a fix let me suggest you to disable Siri or restrict it the access to user data.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – iPhone 6s, hacking)



you might also like

leave a comment