A series of vulnerabilities found in the latest version of Apple’s mobile operating system allegedly allow an attacker to bypass the passcode mechanism on an iPhone or iPad, but we have been unable to replicate the exploit.
On Monday, security research firm Vulnerability Laboratory published an advisory in which it provides some context on the alleged security issues:
“The vulnerabilities are located in the ‘Appstore’, ‘Buy more Tones’ or ‘Weather Channel’ links of the Clock, Event Calender & Siri User Interface.”
“Local attackers can use Siri, the event calender or the available clock module for an internal browser link request to the appstore that is able to bypass the customers passcode or fingerprint protection mechanism. The attacker can exploit the issue on several ways with siri, the events calender or the clock app of the control panel on default settings to gain unauthorized access to the affected Apple mobile iOS devices.”
The advisory claims that the vulnerabilities affect iOS 9.0, 9.1, 9.2.1 for Apple iPhone (5, 5s, 6 and 6s) and the iPad (mini 1 and 2). They are estimated at a “High” severity level and have received a CVSS score of 6.4.
The advisory details four scenarios by which an attacker could exploit the vulnerabilities. In a majority of the cases, the attacker makes use of a Siri request to open an affected non-restricted app, such as the Clock app.
Once the target app has been opened, the attacker clicks on a link that opens a restricted App Store browser window, such as “Buy More Tones” or “App Store.” At that point, the attacker then uses Siri or presses the Home button twice to return to the home screen with full access to the device.
A YouTube video claims to demonstrate the exploitation of these vulnerabilities:
We tried to replicate these exploits to see if they really worked.
However, when we tried to do so, we were able to get past the passcode only when we used a finger on the home button that we previously registered with Touch ID. By contrast, when we tried to do it with a finger that we hadn’t registered with Touch ID, we couldn’t get the App Store button to work. It simply kept prompting for the passcode to be entered or a valid fingerprint to be offered.
News of these vulnerabilities has been making its way around the web.
Such coverage has sparked skepticism in some observers, with Adrian Kingsley-Hughes commenting on ZDNet that the exploits appear to consist of little more than activating Apple’s Touch ID fingerprint authentication mechanism while invoking Siri.
Adrian Kingsley-Hughes commented on ZDNet that the exploits appear to consist of little more than activating Apple’s Touch ID fingerprint authentication mechanism while invoking Siri.
Given our trouble replicating the exploits when using a finger not registered with Touch ID, this could very well be the case. Our suspicion is that the researchers may have been unwittingly unlocking the device with their recognised fingerprint, not realising that if they had used a non-registered finger they might not have succeeded.
So, it appears these vulnerabilities might not constitute true security risks.
But we can draw some lessons from this event nevertheless.
First, if they have not already done so, iOS users should activate Touch ID on their devices and/or should protect their iPhones and iPads with a passcode.
Second, to protect against legitimate Apple bypass vulnerabilities, users should also be careful to never leave their device unattended in a public place. Many passcode bypass exploits require physical access to work. If you are careful about where you leave your phone, attackers won’t stand a chance breaking onto your device.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.