Siri security flaw on iPhone 6s & 6s Plus grants access to Contacts and Photos without passcode

Posted:
in iPhone edited April 2016
A newly discovered Siri search handling bug allows nefarious users to bypass passcode protected lock screens on iPhone 6s and 6s Plus handsets, granting easy access to Contacts and Photos data. The vulnerability is likely applicable only to a subset of devices, however.




Discovered by Jose Rodriguez, who found a similar lock screen flaw last September, the security hole appears effective only in certain scenarios. As presented in a proof-of-concept video, and confirmed by AppleInsider, the vulnerability applies to iPhone 6s and 6s Plus handsets configured to allow Siri app search integrations for Twitter, Contacts and Photos.

In the example provided, a user -- or nefarious agent -- invokes Siri via a long home button press, or iPhone's "Hey Siri" function, and asks the virtual assistant to conduct a Twitter search. If the search results contain actionable Contacts data, like an email address, a 3D Touch gesture can be used to call up a contextual menu with options to send mail and add or modify contact information.

From the 3D Touch Quick Actions menu, tapping on "Add to Existing Contact" opens an iPhone's Contacts list, which can then be used to access device Photos, if so configured.

Rodriguez told AppleInsider the 3D Touch loophole is also applicable to Siri results for WhatsApp friends list searches.



There are a few caveats to successfully leveraging the apparent security flaw. Specifically, a device owner must have previously granted Siri access to their Twitter account, photo library or related app either by conducting a Siri search themselves, or manually configuring service permissions in Settings. When a user first asks Siri to conduct a Twitter search, the assistant will seek permission to access that device's Twitter account, as indexed in device settings. In order to verify ownership, Siri requires account owner confirmation via passcode or Touch ID.

Those concerned about potential intrusions can disable Siri's Twitter integration by navigating to Settings > Twitter and switching off Siri. Doing the same in Settings > Privacy > Photos cuts Siri access to an iPhone's photo library. Alternatively, Siri itself can be completely disabled.

The workaround is active in Apple's latest iOS 9.3.1 update.
«1

Comments

  • Reply 1 of 21
    Tricky… well it does require access to the phone but yes, it should not allow anyone to get that deep - see list of contacts, images, etc. without unlocking.
  • Reply 2 of 21
    tallest skiltallest skil Posts: 43,388member
    9.3.2 in a week or so, then.
  • Reply 3 of 21
    sockrolidsockrolid Posts: 2,789member
    Cellebrite: "Dang."
    quadra 610slprescottwonkothesanejony0
  • Reply 4 of 21
    paxmanpaxman Posts: 4,729member
    I am always impressed by people discovering this shit. That is a pretty convoluted series of actions  :)
    tallest skilmacplusplusrealjustinlongquadra 610jbdragonjony0buzdots
  • Reply 5 of 21
    Did anyone try to follow the instructions to disable Siri in Twitter and Photos. I'm on 9.3.1 and there are no references to Siri in either location named.
    mwhitemacplusplus
  • Reply 6 of 21
    macplusplusmacplusplus Posts: 2,116member
    Did anyone try to follow the instructions to disable Siri in Twitter and Photos. I'm on 9.3.1 and there are no references to Siri in either location named.
    Apparently this is not a Siri security flaw, but a 3D Touch security flaw. The title correctly mentions 6s and 6s Plus but incorrectly attributes the flaw to Siri... In devices without 3D Touch there are no such Siri options.
  • Reply 7 of 21
    why-why- Posts: 305member
    I remember hearing something a few weeks ago about getting into an iPhone with this whole complicated process involving adding a clock or something? did they ever resolve that?
  • Reply 8 of 21
    sflocalsflocal Posts: 6,136member
    sockrolid said:
    Cellebrite: "Dang."
    The FBI is more like...



    quadra 610
  • Reply 9 of 21
    tallest skiltallest skil Posts: 43,388member
    why- said:
    I remember hearing something a few weeks ago about getting into an iPhone with this whole complicated process involving adding a clock or something? did they ever resolve that?
    You might be thinking of this one. As it was discovered in June of last year, I HOPE they fixed it by now.
  • Reply 10 of 21
    fallenjtfallenjt Posts: 4,056member
    Get your butts together Apple. The update was just relased and bugs were found the next day. First, the old iOS devices with iMessage and FaceTime issues, now this?
  • Reply 11 of 21
    kevin keekevin kee Posts: 1,289member
    fallenjt said:
    Get your butts together Apple. The update was just relased and bugs were found the next day. First, the old iOS devices with iMessage and FaceTime issues, now this?
    It's not a bug, it's an exploit.
  • Reply 12 of 21
    lkrupplkrupp Posts: 10,557member
    fallenjt said:
    Get your butts together Apple. The update was just relased and bugs were found the next day. First, the old iOS devices with iMessage and FaceTime issues, now this?

    Stifle it, Edith. The H2SO4 emanating from your keyboard is really bad.
    edited April 2016
  • Reply 13 of 21
    payecopayeco Posts: 581member
    Looking back this guy consistently seems to find these types of bugs in iOS. Why hasn't Apple hired this guy as a QA tester yet?
    dysamoria
  • Reply 14 of 21
    radarthekatradarthekat Posts: 3,904moderator
    fallenjt said:
    Get your butts together Apple. The update was just relased and bugs were found the next day. First, the old iOS devices with iMessage and FaceTime issues, now this?

    ---

    no doubt.  You'd think there'd be a flag to check when a call is made to access sensitive information.  isSignedIn=TRUE/FALSE.  The flag gets reset when the phone is wakened and put to sleep, set after a valid sign-in.  Seems pretty basic to head off any convoluted scenario that might come up in the future.
    edited April 2016 dysamoria
  • Reply 15 of 21
    fallenjtfallenjt Posts: 4,056member
    lkrupp said:
    fallenjt said:
    Get your butts together Apple. The update was just relased and bugs were found the next day. First, the old iOS devices with iMessage and FaceTime issues, now this?

    Stifle it, Edith. The H2SO4 emanating from your keyboard is really bad.
    What's about H2S from your mouth?
    edited April 2016
  • Reply 16 of 21
    fallenjtfallenjt Posts: 4,056member

    kevin kee said:
    fallenjt said:
    Get your butts together Apple. The update was just relased and bugs were found the next day. First, the old iOS devices with iMessage and FaceTime issues, now this?
    It's not a bug, it's an exploit.
    What does it say here?

    "A newly discovered Siri search handling bug allows nefarious users to bypass passcode protected lock screens"
  • Reply 17 of 21
    ajl said:
    Well, I own an iPhone 5s, not a 3D touch device, but there is another flaw. When I ask Siri to show me a contact, or all of them, Siri tells me that I have to unlock the phone (and that's good). I still have to unlock the phone when I tell Siri "show me [name of contact]", and that's good. But when I ask Siri "show me contact [name]", magically Siri shows all the contact info. And if there are more contacts with that name, Siri ask me back which of them I want, so when I tell, or touch, one of them, Siri shows me again all the contact info. Give a try.
    Odd: Just tried that on my 5S (iOS9.3.1) and for both scenarios I got asked to unlock the phone first. Which iOS version were you using?
  • Reply 18 of 21
    dysamoriadysamoria Posts: 3,430member
    ajl said:
    Well, I own an iPhone 5s, not a 3D touch device, but there is another flaw. When I ask Siri to show me a contact, or all of them, Siri tells me that I have to unlock the phone (and that's good). I still have to unlock the phone when I tell Siri "show me [name of contact]", and that's good. But when I ask Siri "show me contact [name]", magically Siri shows all the contact info. And if there are more contacts with that name, Siri ask me back which of them I want, so when I tell, or touch, one of them, Siri shows me again all the contact info. Give a try.
    This didn't work for me. iOS 9.3, iPhone 6s. I also can't get the article exploit to work either (Siri just tells me to unlock first).

    Edit: oh, so the Twitter app must be installed too? I don't have that. 
    edited April 2016
  • Reply 19 of 21
    airbubbleairbubble Posts: 105member
    Ok so for give me if I'm dumb but the phone is reacting to the user!
    Like advertised in many Apple ads no-hands op, person ask Siri a question while cooking "messy hands" or other.
    So imagine in the future that the iPhone could wake into action via the users "owner" voice Hands free.
    Testing this iPhone on asking Siri any info get reply, person next to me asks Siri a question ... no response! 
    jony0
  • Reply 20 of 21
    seanie248seanie248 Posts: 181member
    why- said:
    I remember hearing something a few weeks ago about getting into an iPhone with this whole complicated process involving adding a clock or something? did they ever resolve that?
    that one turned out to be a fake report... it only worked when you used an authenticated finger to invoke Siri, which unlocked the device through TouchID. use a different finger and no dice.
Sign In or Register to comment.