Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > News > Mac News > Security flaw in iOS 9 discovered, could expose photos, contacts

Security flaw in iOS 9 discovered, could expose photos, contacts
Thread Tools
NewsPoster
MacNN Staff
Join Date: Jul 2012
Status: Offline
Reply With Quote
Sep 23, 2015, 05:18 PM
 
A new flaw discovered in iOS 9 could -- assuming the attacker has physical access to the device -- allow someone access to a user's contacts and photos without a PIN code. The flaw takes advantage of the fact that Siri can be called up from the lock screen without unlocking the device first -- an ability that can be turned off in settings, if users are concerned about the possibility of others gaining access to the mobile device.

MacNN has verified that the flaw appears to exist on all iOS devices running iOS 9, and the flaw also appears to work with the updated 9.0.1 update issued earlier today, suggesting Apple was unaware of the issue or has not yet developed a fix. A video available on YouTube details the attack, which calls up Siri just before an attacker inputs the wrong passcode for a fifth time. Asking Siri to open the Messages app does not, in this specific circumstance, bring up the usual "you'll have to unlock your [device] first" warning, and opens Messages -- which then gives the attacker limited access to both Contacts and Photos.



Until Apple issues a fix for the problem, Siri access from the lock screen can be turned off in the Settings app through the "Touch ID & Passcode" preference, scrolling down to "Allow access when locked," and turning off Siri there -- doing so will prevent the possibility of a successful attack. Apple has been made aware of the issue, which was first reported by BGR.
     
lkrupp
Forum Regular
Join Date: May 2001
Location: Collinsville, IL, USA
Status: Offline
Reply With Quote
Sep 23, 2015, 05:54 PM
 
So I guess these assholes sit around all day fiddling with devices to see if they can break in. How else would they come across something like this?
     
Mike Wuerthele
Managing Editor
Join Date: Jul 2012
Status: Offline
Reply With Quote
Sep 23, 2015, 06:10 PM
 
Yeah, that's pretty much my theory on how this gets found out.
     
Atheist
Mac Elite
Join Date: Sep 2006
Location: Back in the Good Ole US of A
Status: Offline
Reply With Quote
Sep 23, 2015, 06:10 PM
 
It may be helpful if you detailed exactly what the vulnerabilities are with "limited access to both Contacts and Photos". Can data be deleted?
     
nowayoutofmymind
Fresh-Faced Recruit
Join Date: Jun 2007
Status: Offline
Reply With Quote
Sep 23, 2015, 06:12 PM
 
I still cannot understand why Apple does not use some of its absolutely insane amounts of money to hire a decent tiger team and really try to harden the software before going public with it. If people can so easily and quickly find this kind of bugs and weaknesses, a good hardening team should be able to do the same and more. The damage to the image is way more expensive...
     
Mike Wuerthele
Managing Editor
Join Date: Jul 2012
Status: Offline
Reply With Quote
Sep 23, 2015, 06:28 PM
 
Originally Posted by Atheist View Post
It may be helpful if you detailed exactly what the vulnerabilities are with "limited access to both Contacts and Photos". Can data be deleted?
Just viewing.
     
prl99
Senior User
Join Date: Mar 2009
Location: pacific northwest
Status: Offline
Reply With Quote
Sep 23, 2015, 06:39 PM
 
Your explanation on how to turn Siri off doesn't work on my iPhone6. Going to Settings/Touch ID & Passcode, scroll down to Allow Access When Locked doesn't give me anything that says Siri, only Today, Notifications View, Reply with Message, and Wallet. Which one is for Siri?

running latest patch iOS 9.0.1
     
Charles Martin
Mac Elite
Join Date: Aug 2001
Location: Maitland, FL
Status: Offline
Reply With Quote
Sep 23, 2015, 11:22 PM
 
prl99: I have no explanation for you, it's there on my iPhone 5s. Today, Notifications View, Siri, Reply with Message, and Wallet. Perhaps you have deactivated Siri elsewhere?
Charles Martin
MacNN Editor
     
prl99
Senior User
Join Date: Mar 2009
Location: pacific northwest
Status: Offline
Reply With Quote
Sep 24, 2015, 09:20 AM
 
I had never turned Siri on so an easier way to disable this exploit is simply to turn Siri off in the General setting. I tested by enabling Siri and it showed in the Touch ID & Passcode settings.
     
iBricking.com
Banned
Join Date: Dec 2007
Status: Offline
Reply With Quote
Sep 24, 2015, 10:07 AM
 
Be thankful, lkrupp, that such fiddlers discover very real vulnerabilities so Apple can eliminate them.
     
Grendelmon
Senior User
Join Date: Dec 2007
Location: Too F'ing Cold, USA
Status: Offline
Reply With Quote
Sep 24, 2015, 11:34 AM
 
Originally Posted by lkrupp View Post
So I guess these assholes sit around all day fiddling with devices to see if they can break in. How else would they come across something like this?
The kool-aid is strong with this one.
     
Flying Meat
Senior User
Join Date: Jan 2007
Location: SF
Status: Offline
Reply With Quote
Sep 24, 2015, 11:58 AM
 
Ignorance is bliss?
     
   
Thread Tools
 
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Top
Privacy Policy
All times are GMT -4. The time now is 04:40 AM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,