Update: An earlier version of this article mistakenly presented this bug as a passcode lock screen bypass.
As any attacker requires access to an unlocked iOS device in the first place in order to disable subsequent appearances of the lock screen, this is an inaccurate representation of the threat.
The following version of the article has been updated accordingly.
Researchers have uncovered a new Apple zero-day vulnerability that allows an attacker to disable the passcode lock screen on iOS 8 and iOS 9, without authentication. However, as any attacker would require physical access to an unlocked iOS device in the first place, the threat is limited.
On Thursday, security research firm Vulnerability Laboratory published an advisory about what they described as an authentication bypass vulnerability which affects a number of models of the iPhone and iPad:
“An application update loop that results in a pass code bypass vulnerability has been discovered in the official Apple iOS (iPhone 5 & 6 | iPad 2) v8.x, v9.0, v9.1 & v9.2. The security vulnerability allows local attackers to bypass pass code lock protection of the apple iphone via an application update loop issue. The issue affects the device security when processing to request a local update by an installed mobile ios web-application.”
The vulnerability, which was discovered by Benjamin Kunz Mejri, a penetration tester and security analyst for Vulnerability Lab, exists in the hardware configuration of iOS versions 8 and 9 and enables an attacker to place a device into a runtime mode where an unlimited loop occurs.
This condition can be exploited by shutting down (or powering off) the device, at which point in time the passcode authentication feature is not activated as designed. Upon reboot (or re-activation), that protective feature remains disabled, allowing an attacker to access the device without a passcode.
Of course, it is worth remembering that the attacker already had access to an iOS device without a passcode, so the threat appears to be more theoretical rather than something that is worth losing sleep over.
In its bulletin, Vulnerability Laboratory shares a list of steps (in slightly broken English) that allow interested parties to replicate the bug:
- First fill up about some % of the free memory in the iOS device with random data
- Now, you open the app-store choose to update all applications (update all push button)
- Switch fast via home button to the slide index and perform iOS update at the same time. Note: The interaction to switch needs to be performed very fast to successfully exploit. In the first load of the update you can still use the home button. Press it go back to index
- Now, press the home button again to review the open runnings slides
- Switch to the left menu after the last slide which is new and perform to open Siri in the same moment. Now the slide hangs and runs all time in a loop
- Turn of via power button on the ipad or iphone ….
- Reactivate via power button and like you can see the session still runs in the loop and can be requested without any pass code. Note: Normally the pass code becomes available after the power off button interaction to stand-by mode
- Successful reproduce of the local security vulnerability!
A video demonstration of the passcode being disabled has also been made available:
Kunz and his fellow researchers reported the bug to Apple Product Security Team in late 2015. The tech company provided some feedback in January, but as of this writing, Apple has yet to patch the vulnerability.
With that being said, even though the vulnerability appears serious at first, an attacker can exploit the bug only via a manipulated iOS device or via physical device access, methods which necessitate that the attacker manually run several update processes simultaneously or remotely trigger them following the manual exploitation of an iOS app.
And surely, if an attacker wished to create mischief, they would attempt to cause harm while they had their initial access to the unlocked device.
These means of exploitation require some fancy, timing-based, and hands-on coordination which would make it difficult (but not altogether impossible) for an attacker to disable the pass code on your iDevice.
iOS users should therefore be careful when leaving their devices unattended around people they might not know.
This advice holds water in all scenarios regardless of whether Apple ever decides to patch the bug.
'Of course, it is worth remembering that the attacker already had access to an iOS device without a passcode, so the threat appears to be more theoretical rather than something that is worth losing sleep over.'
No. Because that mentality is what will bite you repeatedly. The impossible can be made possible. Then what?
'And surely, if an attacker wished to create mischief, they would attempt to cause harm while they had their initial access to the unlocked device.'
Making assumptions is a big mistake in security just as much as it is elsewhere.
'These means of exploitation require some fancy, timing-based, and hands-on coordination which would make it difficult (but not altogether impossible) for an attacker to disable the pass code on your iDevice.'
The problem is the possibility – the instance isn't but it is inevitable (and one might argue a demonstration of the attack IS an instance of it).