If this is your first visit, be sure to check out the FAQ by clicking the link above.
You may have to register before you can post: click the register link above to proceed.
To start viewing messages, select the forum that you want to visit from the selection below.
You are here: MacNN Forums
> News
> Mac News
>
Security flaw in iOS 9 discovered, could expose photos, contacts
A new flaw discovered in iOS 9 could -- assuming the attacker has physical access to the device -- allow someone access to a user's contacts and photos without a PIN code. The flaw takes advantage of the fact that Siri can be called up from the lock screen without unlocking the device first -- an ability that can be turned off in settings, if users are concerned about the possibility of others gaining access to the mobile device.
MacNN has verified that the flaw appears to exist on all iOS devices running iOS 9, and the flaw also appears to work with the updated 9.0.1 update issued earlier today, suggesting Apple was unaware of the issue or has not yet developed a fix. A video available on YouTube details the attack, which calls up Siri just before an attacker inputs the wrong passcode for a fifth time. Asking Siri to open the Messages app does not, in this specific circumstance, bring up the usual "you'll have to unlock your [device] first" warning, and opens Messages -- which then gives the attacker limited access to both Contacts and Photos.
Until Apple issues a fix for the problem, Siri access from the lock screen can be turned off in the Settings app through the "Touch ID & Passcode" preference, scrolling down to "Allow access when locked," and turning off Siri there -- doing so will prevent the possibility of a successful attack. Apple has been made aware of the issue, which was first reported by BGR.
I still cannot understand why Apple does not use some of its absolutely insane amounts of money to hire a decent tiger team and really try to harden the software before going public with it. If people can so easily and quickly find this kind of bugs and weaknesses, a good hardening team should be able to do the same and more. The damage to the image is way more expensive...
Your explanation on how to turn Siri off doesn't work on my iPhone6. Going to Settings/Touch ID & Passcode, scroll down to Allow Access When Locked doesn't give me anything that says Siri, only Today, Notifications View, Reply with Message, and Wallet. Which one is for Siri?
prl99: I have no explanation for you, it's there on my iPhone 5s. Today, Notifications View, Siri, Reply with Message, and Wallet. Perhaps you have deactivated Siri elsewhere?
I had never turned Siri on so an easier way to disable this exploit is simply to turn Siri off in the General setting. I tested by enabling Siri and it showed in the Touch ID & Passcode settings.