A critical security flaw in Apple's newest iPhones running the latest version of the iOS operating system allows anyone to bypass the phone's lockscreen and gain access to personal information.
The iPhone lockscreen bypass bug only works on the iPhone 6S and iPhone 6S Plus, as these devices take advantage of the 3D Touch functionality that is used to bypass the lockscreen passcode and access photos and contacts.
The lockscreen bypass bug is present in iOS 9.2 and later, including the latest iOS 9.3.1 update, released last week.
Anyone with physical access to an affected iPhone can gain access to the victim's photos, emails, text and picture messages, contacts, and phone settings, according to the Full Disclosure mailing list.
Here's How to bypass iPhone's Lockscreen
Step 1: If you own iPhone 6S or 6S Plus, first lock your device.
Step 2: Invoke Siri and speak 'Search Twitter.'
Step 3: When Siri asks what you want to search for, reply her: 'at-sign Gmail dot com' or any other popular email domain, as the aim is to find a tweet containing a valid email address.
Step 4: Once you get the results, tap on a tweet with a valid email address.
Step 5: Now 3D Touch that email address in order to bring up the contextual menu.
Step 6: Tap 'Create New Contact.'
Step 7: Now add an image in order to view all the images on the device.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!Join the Session
You may have to give Siri access to the Photo Library. You can even see contacts on the iPhone by using the 'Add to Existing Contact' option instead.
You can also watch the video demonstrating the security issue.
However, it's as simple to access user's personal data on a locked iPhone as to fix the bug yourself while waiting for Apple to roll out a permanent fix.
Here's how to Fix the iPhone Lockscreen Bug
The vulnerability can be temporarily fixed by just disabling Siri from the lockscreen though it will cripple your iOS 9.3 or iOS 9.3.1 experience.
- Go to the Settings → Touch ID & Passcode and Disable Siri on the Lockscreen.
Alternatively, you can just remove Photos access from Siri, so that anyone with the advantage of the flaw can not view any of your personal pictures.
- Go to Settings → Privacy → Photos and then prevent Siri from accessing pictures.
Of course, Siri could still ask your permission to view photos on the iPhone when somebody would try to abuse the security issue.