Tech

Apple goes server-side to fix Siri lock screen bypass security flaw

The bug allowed attackers to bypass the lock screen to access a user's media, contacts and settings.

Written by Charlie Osborne, Contributing Writer April 6, 2016 at 2:17 a.m. PT

Apple has fixed a security flaw within Siri which granted attackers with physical access to a device the chance to snoop through a victim's media and contacts.

The security flaw, posted on Full Disclosure, came to light on Tuesday. Security researcher Benjamin Kunz Mejri discovered the bypass flaw and publicly disclosed the vulnerability after two weeks of waiting for Apple to respond to his submission without success.

Security

The bug affects the iPhone 6S and 6S Plus, and was exploitable on iOS 9.2 and beyond -- including the latest 9.3.1 update.

In order to exploit the bug, attackers do not need to scan a fingerprint or guess at the passcode. Instead, the victim's device must adhere to a particular set of circumstances -- namely, Apple's voice assistant Siri must have access to the lock screen and a Twitter account.

The iPad and iPhone maker's "Force Touch" feature must also be present -- and this is why only the iPhone 6S and 6S Plus are affected, as they are the only smartphones in Apple's range which include the pressure-sensitive new trackpad.

When these requirements are met, an attacker with access to the smartphone can call up Siri to access Twitter and search for an email or contact. By continuing to press down, an attacker can open up editable contacts, photos, emails and other contact data.

The security flaw could be temporarily 'patched' by disabling Siri from the lock screen. However, after the security issue went public, Apple said in a statement to the Washington Post that the bug was patched server-side on Tuesday morning.

Users are now protected from the vulnerability without any need to update. Attempting to exploit this issue now results in a screen which says, "You'll need to unlock your iPhone first."

According to 9to5Mac, Apple used the opportunity to patch another bug -- albeit far less important -- which related to Night Shift mode. You used to be able to use Siri to activate this mode while Low Power Mode was enabled, but users are now unable to implement both at the same time with the latest server-side update.