Let the wild speculation about just how the FBI cracked San Bernardino killer’s phone begin
Update: Server-side salvation from Cupertino In a release that’s bound to spark all sorts of speculation, Vulnerability Labs has disclosed an iOS touch passcode bypass at Full Disclosure on April 5.
Apple has pushed a fix on the server side, as noted at the end of this story.
In late March, Johns Hopkins University’s professor Matthew Green said a bypass existed, but withheld details pending Apple’s patch.
This may or may not refer to the same issue: Vulnerability Labs says the bug is present in iOS 9.3.1 (as well as 9.2.1), even after Cupertino’s April 4 2016 update.
The group says it notified Apple of the issue on March 18.
Here’s what the researchers, led by Benjamin Kunz Mejri, found: some installed applications allow interactions without demanding a passcode.
Example applications listed in the advisory include Yahoo!, Twitter or Facebook.
On a locked phone, the attacker can use Siri to search through the target application; that search shows an @ tag in the slide preview, the advisory says, and pushing the @ tag button makes the basic context menu available.
If the attacker then chooses an action such as “add contact”, Vulnerability Lab says, and then navigates to add a picture to the contact, they end up with “access to the photo album of the apple device without secure auth”.
They can then exploit the contact they’ve created to access the mailbox, again without authorisation.
Adding an e-mail to the contact will yield access to the iPhone’s address book, the advisory adds.
As a temporary fix, users should disable Siri and deny Siri access to pictures and the address book.
And in the long-term? This flaw has obvious overlaps with United States’ authorities interest in iPhones’ innards, which the FBI says it sated with the help of a Japanese firm. Or did it? ®
Update: Thanks to the commentard who alerted us to Apple’s fix for the issue.
Siri now demands your lock screen passcode, if someone tries to ask Siri for a search, while at a secured Lock screen.
As 9to5Mac notes, implementing the fix at the server side let Cupertino move fast on blocking the vulnerability. ®
Sponsored: DevOps: hidden risks and how to achieve results