Security hole in iOS 9.3.1 could offer access passcode-free access to photos, contacts under certain conditions
Date: Tuesday, April 5th, 2016, 08:35
Category: iOS, News, security
If you’re running iOS 9.3.1 and gave Siri access to your Twitter information as well as yourContacts or Photos, this is something worth looking into.
A video surfaced online yesterday purporting to show a vulnerability in iOS 9.3.1 that allows anyone to access photos and contacts on a locked iPhone without having to enter a passcode.
The YouTube video, uploaded by Jose Rodriguez, depicts a user performing a Siri search followed by a series of relatively simple steps, one of which involves 3D Touch, limiting the exploit to iPhone 6s and 6s Plus devices.
The procedure starts by invoking Siri on the locked phone by holding the home button or using the “Hey, Siri” function, and then asking the personal assistant to initiate a Twitter search. When the returned results include contact details such as an email address, a 3D Touch gesture is used on the contact information to bring up a Quick Actions menu. Tapping “Add to Existing Contact” then brings up the iPhone’s Contacts list. By selecting a contact and opting to add a photo to the entry, the phone’s photo library can also be freely accessed.
So, you have to give Siri access to your Twitter account information as well as Contacts or Photos, both actions requiring that you’ve initially established ownership of the device with a passcode or Touch ID. Additionally, if the iPhone has exited a Touch ID grace period, a passcode is still required before using Siri.
Users can prevent this by going to Settings -> Privacy -> Twitter and if Siri is listed, turn off its access. Likewise, in Privacy -> Photos, turn any listing of Siri access to the Off position. Revoking Siri’s access to your Contacts requires the more drastic action of disabling Siri lock screen activation. To do so, go to Settings -> Touch ID & Passcode and turn off the Siri switch.
The issue is found in the iOS 9.3.1 update, which came out late last week as an effort to repair a significant web link crashing issue that affected many iOS users.
Stay tuned for additional details as they become available.