iPhone devices running iOS 9.3.1 can also be unlocked using TouchID fingerprint reader
A new vulnerability in iOS allows anyone to access photos and contacts on a locked iPhone without the need to enter a passcode – potentially putting millions of devices at risk.
The flaw appears to affect all versions of iOS 9, including iOS 9.3.1, which was launched last week, and can also be exploited using the TouchID fingerprint reader, including in all models from the iPhone 5S onwards
According to a YouTube video uploaded by security researcher Jose Rodriguez (see below), the bug can be accessed through Apple’s voice-recognition service Siri, opened by holding down the home button or using the “Hey, Siri” function, and then initiating a Twitter search.
If this search contains contact details such as an email address containing the “@” symbol, the device will then offer a 3D Touch gesture on this information to bring up a Quick Actions menu.
This menu includes an “Add to Existing Contact” option, which when selected opens up the Contacts list on the device. As Apple’s contacts also allow the addition of a photo to a contact’s profile, users can then also access the device’s full photo library to do so.
The flaw will only affect devices where the user has given Siri permission to access their Twitter account information, as well as to their Contacts or Photos, all of which require the owner to authenticate using a passcode or Touch ID.
There does not appear to be any official fix for the bug just yet, but users worried about the security of their device can disable Siri’s access to their photos, or fully disable Siri on the lock screen.
Apple had not responded to TechWeekEurope’s requests for comment at the time of publication.