iPhones, iPads at risk of new lock screen passcode bypass flaw

The flaw affects iPhones 5 and 6, and iPad 2, running iOS 8.2 and later.
Written by Zack Whittaker, Contributor
(Image: CNET/CBS Interactive)

A security researcher has published details of a newly-discovered flaw that can allow an attacker to quickly bypass iPhone and iPad lock screens.

Disclosed on Thursday, the "high"-rated vulnerability is said to affect iPhones 5 and 6, and iPad 2 tablets running iOS 8.2 and later. It's not clear if other devices are affected.

Apple's most recent figures show that the vast majority of iPhone and iPad users are running an affected version of the software, accounting to many tens of millions of users.

The flaw allows an attacker to bypass the passcode on the lock screen through a carefully performed time-based attack. An attacker must have access to the device to exploit the flaw.

Benjamin Kunz Mejri, who found the vulnerability, posted a proof-of-concept video of the attack taking place.

Mejri said in the advisory (edited for clarity) that a "local attacker can trick the iOS device into a mode where a runtime issue with unlimited loop occurs. This finally results in a temporarily deactivation of the passcode lock screen."

ZDNet was not able to independently verify the flaw at the time of writing.

The researcher said he notified Apple's security team on October 22 last year. It's not clear why the flaw was publicly disclosed. Thursday's advisory was posted more than three months after Apple was notified, falling in line with responsible disclosure principles.

We reached out to Apple but did not immediately hear back. We will update if we do.

For privacy and security, change these iOS 9 settings right now

Editorial standards