Your iPhone might not be as secure as you think – even when your device is locked and protected with a passcode.
A recently discovered security flaw affecting iOS 8.0 and up lets anyone bypass an iPhone’s password lock screen to access data including contact information, message logs as well as photos. The method is detailed in the YouTube video above by popular tech YouTuber iDeviceHelp and requires two things: physical access to the device and that Siri has been enabled on the lock screen.
What’s particularly troubling is that hackers don’t even need to know your passcode to circumvent your phone’s defences.
Once in possession of your smartphone, attackers can take advantage of Siri to obtain your own phone number. This will allow them to call the phone from another device and consequently gain access to iMessages without ever unlocking your iPhone.
After declining the call with a message, the VoiceOver feature can be hijacked to cause unintended behavior in the messaging screen which then allows access to the phone’s contacts, photos, and messages.
Here are the full steps to recreate this:
- Ask Siri “Who am I?” on the target iPhone.
- Call the target iPhone using FaceTime.
- On the target iPhone, tap on “Message” on the call screen, then “Custom.”
- Ask Siri to “Turn on VoiceOver,” then exit Siri.
- Double-tap on the contact bar where “To: person” is, then immediately tap on the keyboard. This may take a few tries.
- When the Camera, Digital Touch, and iMessage apps icons appear, ask Siri to “Turn off VoiceOver.”
- Exit Siri, then type a letter on the keyboard to find contacts that begin with that letter.
- Look for a contact with an info icon, then tap on the “i.”
- You’re now in that contact’s info.
- Hit “Create New Contact.”
- Select “add photo” in the top-left.
- Finally, select “Choose Photo,” and you’ll have access to the entire iPhone’s photos, even though the iPhone is still locked.
Here’s a video by EverythingApplePro who managed to recreate this.
Thankfully, as with pretty much all of the iOS lockscreen bypasses, there is an easy way to prevent this from happening: disable Siri access on the lockscreen.
To disable Siri access on the lockscreen, go to the
If Siri is turned on, you will see a slider to turn off
Access on Lock Screen.
Alternatively, you can turn off Siri altogether with the
Siri slider at the top, in which case the other configuration options will disappear from sight:
But even then, there’s no way to tell what the next lock screen bypass hack will rely on , so you should protect your iPhone as if it contained everything that’s precious to you—because it probably does. The vulnerability has been reported to Apple so I’m guessing an update should follow shortly.
Are you concerned about iPhone hacks like this, or are they overblown?