X
Tech

iOS 7 lock screen bypass flaw allows full access to photos, contacts: Here's how to fix it

UPDATED 3: The iOS 7 lock screen can be bypassed with a series of gesture techniques. This major bug makes the entire device's contact data open for taking, as well as allowing photos to be edited, deleted, and shared with others.
Written by Zack Whittaker, Contributor
touchidhero-v2-620x362
Image: Apple; Screenshot: ZDNet

Editor's note: We have updated this piece, first published on September 19, following reports that this bug also allowed access to contact data. See below for updates.

Just one day after Apple's latest mobile operating system iOS 7 was released to the public, one user discovered a security vulnerability in the software's lock screen.

In a video posted online, Canary Islands-based soldier Jose Rodriguez detailed the flaw, which allowed him to access the multitasking view of the software without entering a passcode. With this, it's possible to access personal and sensitive data on the device, including contact details of others, as well as any photos or videos taken.

The video, replicated below, shows the sequence of presses and taps that make this exploit possible, despite being fiddly and taking many attempts. The first step is to bring up the device's Control Center and accessing the Clock app, then hold down the power button until you are given the on-screen prompt to shut down the device. After you hit cancel, immediately double-tapping the home button brings up the multitasking view as expected.

With this bug, it's possible to access an array of photos under the Camera Roll, and thus access to sharing features — including Twitter.

If the Camera app is opened first (provided it is accessible from the lock screen), by exploiting the same sequence of presses, the Camera Roll opens up. From here, images can be deleted, uploaded, edited, and shared with others. 

ZDNet confirmed this bug exists on an array of devices. In our New York newsroom, we tested on iOS 7 on an iPhone 4S, an iPhone 5, and the new iPhone 5c.

All devices were exploited in the same way with the lock screen bypass technique, and all devices acted in exactly the same fashion. 

Screen Shot 2013-09-19 at 16.35.10
These screenshots were taken of an iPhone 4S, giving access to photos and sharing features, despite being locked with a passcode.
Image: ZDNet

Perhaps more concerningly, this bug also allows unfettered access to contact data — from the Contacts app — should one choose to share a photo via iMessage.

As soon as one writes a new message, adding a new contact allows complete and unrestricted access to contact details of friends, family members, and colleagues. Email addresses, phone numbers, and other personal and sensitive data can be accessed via this lock-screen flaw.

upload-w3905u2396u23
It is possible to access the entire device's contact list via this bug.
Image: ZDNet

You can see in the video (below) that even though the multitasking view — which offers a much larger view than previous iOS iterations — is viewable, the contents of the apps are not visible.

iOS 7 blurs the contents of the apps, meaning would-be attackers cannot see what is going on. The only exception is the home screen, which is viewable, including which apps have been installed, along with the user's wallpaper.

Despite the flaw, iOS 7 patches 80 security vulnerabilities, according to ZDNet's Larry Seltzer. But this kind of flaw, albeit minor, may not install a vast amount of confidence in users already jarred by the new design and user interface.

Rodriguez also found a bug in iOS 6.1.3, which allowed potential hackers to access an iPhone running vulnerable software by ejecting the SIM card tray.

Until Apple issues an official fix, iOS 7 users can simply disabling access to the Control Center on the lock screen. In Settings, then Control Center. From here, swipe the option on Access on Lock Screen so that it no longer displays on the lock screen.

We put in a request for comment to Apple but did not hear back at the time of writing. An Apple spokesperson told AllThingsD, however, that the company is "aware" of the issue and will deliver a fix soon.

Update 1 at 4:15 p.m. ET: with additional details regarding the Camera app. Also added additional attribution to Forbes, which was mistakenly omitted from the original piece.

Update 2 at 5:40 p.m. ET on September 22: with additional details on access to contact data.

(via Forbes)

Editorial standards