“Over the years iPhones and iPads have been plagued on many occasions by passcode bypasses,” Graham Cluley, a contributor to Internet security firm BitDefender’s news site, Hot for Security, writes in a Nov. 17 blog post. “It would be nice to think that as we’re now up to iOS 10 that Apple would have prevented such bypasses from working once and for all. But no such luck.”
Granted, in order to break into your iPhone an attacker would need physical access to your device. But should it fall to the wrong hands they would only need to hold down its buttons and ask, “Who am I?”
If enabled, Siri would then helpfully tell the attacker your device’s phone number.
“With that information you’re only a few steps away from accessing the owner’s personal photographs, address book and messages,” Cluley writes:
- First they use their phone to call yours.
- On your phone they can then click the Message icon and send a reply.
- Using Siri, they can then tell your phone to “Turn On VoiceOver,” a built-in iOS feature that provides gesture-based screen reading for visually-impaired users.
- They can then return to your phone’s message screen, double-click the bar where contact information is displayed, and immediately click on the on-screen keyboard.
- At this point, the attacker can ask Siri to disable VoiceOver, and after typing characters into the top bar they should be able to access contact details, along with the option to create a new contact…
- …But instead of adding a new contact, they can select the “Photo” icon, choose “Add Photo” – and suddenly they’ll have access to your photo gallery. By selecting contacts, they can see your past messages.
Step four might take “multiple attempts to get the timing right,” Cluley writes. “But you will know you’ve succeeded when you see the “Photo” icon and other options slide in from the side above the keyboard.”
“So much for it being locked.”
And in case you’re wondering: Yes, the bypass works on iPads too, provided they’re running the latest version of iOS.
Fortunately, you can disable Siri on your device’s lockscreen by going to Settings, choosing “Touch ID & Passcode,” and selecting “Disable Siri on the Lockscreen”.
“Chances are that Apple will release a security update in due course to shut down this latest passcode bypass, but it would be a brave man who placed money on Apple never suffering from a similar security goof in [the] future,” Cluley writes.