When it is time for an upgrade or when the user simply wants a new phone, they arrive at their retailer and ask a few questions. The consumer purchases their new shiny iPhone and open the box with glee. They or the salesperson sets up the phone. The user generally at this point sets the passcode for the iPhone believing the iPhone is now totally secure. Even if someone else is holding the phone with physical possession, it does not matter. The user has the passcode. This is not quite the case. Recently there has been a POC attack published and also demonstrated on YouTube.
For this to work, the attacker has to have physical access of the phone. This will, post attack, allow their access to the iPhone’s messages, photos, and contacts. This also bypasses the TouchID, even when configured correctly. This uses Siri to activate the VoiceOver feature. The person receives a call. The target phone does not pick up the call and a message is left. This VoiceOver feature works to take over the phone and causes behavior not anticipated by the programmers. This attack only takes a few minutes.
This does not affect all iPhones, thankfully. The phones that may be affected include the iPhone 7 with iOS 10.2 beta 3, iPhone 4 with iOS 8, and certain iPads. The primary way to remediate this is to turn Siri off. This would diminish the overall functionality of the iPhone, however the user would be safer.
Khandelwal, S. (2016, November 16). New hack: How to bypass iPhone passcode to access photos and messages. Retrieved from http://thehackernews.com/2016/11/iphone-hacking.html
Varmazis, M. (2016, November 18). iPhones vulnerable to yet another lockscreen by bypass. Retrieved from https://nakedsecurity.sophos.com/2016/11/18/iphones-vulnerable-to-yet-another-lockscreen-bypass/
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.
Share on Facebook
Share on Twitter
I'm busy working on my blog posts. Watch this space!