Apple goes server-side to fix Siri lock screen bypass security flaw

Apple has fixed a security flaw within Siri which granted attackers with physical access to a device the chance to snoop through a victim's media and contacts.
The security flaw, posted on Full Disclosure, came to light on Tuesday. Security researcher Benjamin Kunz Mejri discovered the bypass flaw and publicly disclosed the vulnerability after two weeks of waiting for Apple to respond to his submission without success.
Security
The bug affects the iPhone 6S and 6S Plus, and was exploitable on iOS 9.2 and beyond -- including the latest 9.3.1 update.
In order to exploit the bug, attackers do not need to scan a fingerprint or guess at the passcode. Instead, the victim's device must adhere to a particular set of circumstances -- namely, Apple's voice assistant Siri must have access to the lock screen and a Twitter account.
The iPad and iPhone maker's "Force Touch" feature must also be present -- and this is why only the iPhone 6S and 6S Plus are affected, as they are the only smartphones in Apple's range which include the pressure-sensitive new trackpad.
When these requirements are met, an attacker with access to the smartphone can call up Siri to access Twitter and search for an email or contact. By continuing to press down, an attacker can open up editable contacts, photos, emails and other contact data.
The security flaw could be temporarily 'patched' by disabling Siri from the lock screen. However, after the security issue went public, Apple said in a statement to the Washington Post that the bug was patched server-side on Tuesday morning.
Users are now protected from the vulnerability without any need to update. Attempting to exploit this issue now results in a screen which says, "You'll need to unlock your iPhone first."
According to 9to5Mac, Apple used the opportunity to patch another bug -- albeit far less important -- which related to Night Shift mode. You used to be able to use Siri to activate this mode while Low Power Mode was enabled, but users are now unable to implement both at the same time with the latest server-side update.
These are the best 2016 April Fools tech pranks on the Web
Read on: Top picks
- How to increase your Bitcoin mining profit by 30 percent with less effort
- SMS Android malware roots and hijacks your device - unless you are Russian
- Bug bounties: Which companies offer researchers cash?
- Shodan: The IoT search engine privacy messenger
- What happens when you leak stolen bank data to the Dark Web?