Thursday 7 April 2016

Vulnerability in iPhone 6S Allows Access to Contacts and Photos

A security bug in iPhone 6S and 6S Plus can allow anyone bypass the phone lock and access personal data without the passcode. The flaw was discovered by Jose Rodriguez, who also discovered a similar security flaw in 2015. This bug needs Siri to execute, but unlike many other iPhone hacks, this one is quite easy.

You just need to fire up Siri from the phone lockscreen and ask it to search Twitter for any email address. When at least one is found, you can 3D Touch the email address, which brings up a menu offering to create a new contact or add to an existing one. In other words, this action gives the attacker access to all the contacts. Moreover, the Contacts app usually has a permission to access the photo library, which means that the attacker can also browse user’s photos by pretending to make an attempt to add a photo to the contact. Needless to say, the access is granted without unlocking the iPhone.
Is there any way to protect yourself from having your private data accessed with the lockscreen bypass? Yes, there is. You can simply deny Siri and the Contacts app access to your photo library within the Privacy settings. In the meantime, preventing access to contacts through the bug is a bit more complicated: you need to disable Siri while the device is locked both in the Touch ID and Passcode settings.
Security experts remind that the bypass flaw only affects Apple devices with 3D Touch screens. In the meantime, the timing of the flaw coincides with the FBI’s battles with the manufacturer to unlock the San Bernardino shooter’s iPhone 5C. The FBI has yet to divulge how it unlocked the device and whether it used a security flaw to bypass the passcode. A few days ago, the agency promised US local and state law enforcement to help them unlock Apple mobile devices in criminal cases.

No comments:

Post a Comment