New iPhone lock screen exploit reveals contact information without passcode
A new exploit requiring precise timing in conjunction with physical access to a device that has Siri enabled on the lock screen has surfaced, giving attackers the ability to view contact information, including photos, and message logs.
First publicized by YouTube channel iDeviceHelp, attackers with access to the device must call the phone, and start to send a message. After that, assailants instruct Siri to turn on voice over.
For the next steps, timing is crucial. Attackers must double-tap the contact info bar, and hold the second tap on the bar, while immediately clicking on a keyboard which may or may not invoke in time for the exploit.
At this point, the attacker can type the first letter of a contact's name, and then tap info button next to the contact to get information on the contact. The phone remains locked during the entire attack.
AppleInsider was able to repeat the steps necessary to invoke the attack on an iPhone SE, an iPhone 6 Plus, and an iPhone 6S Plus, but not on an iPhone 7 or 7 Plus suspected because of slightly different keyboard invocation times. A different YouTube channel, EverythingApplePro, claims that the exploit is capable on any phone, going back to iOS 8.0.
The best way to prevent the attack method is to disable Siri while the phone is locked in the Touch ID & Passcode preferences, or prevent physical access to the device. The testers have reported the flaw to Apple.
First publicized by YouTube channel iDeviceHelp, attackers with access to the device must call the phone, and start to send a message. After that, assailants instruct Siri to turn on voice over.
For the next steps, timing is crucial. Attackers must double-tap the contact info bar, and hold the second tap on the bar, while immediately clicking on a keyboard which may or may not invoke in time for the exploit.
At this point, the attacker can type the first letter of a contact's name, and then tap info button next to the contact to get information on the contact. The phone remains locked during the entire attack.
AppleInsider was able to repeat the steps necessary to invoke the attack on an iPhone SE, an iPhone 6 Plus, and an iPhone 6S Plus, but not on an iPhone 7 or 7 Plus suspected because of slightly different keyboard invocation times. A different YouTube channel, EverythingApplePro, claims that the exploit is capable on any phone, going back to iOS 8.0.
The best way to prevent the attack method is to disable Siri while the phone is locked in the Touch ID & Passcode preferences, or prevent physical access to the device. The testers have reported the flaw to Apple.
Comments
Right?
/s
But to use this one, someone has to know my name and phone number before successful execution of said exploit? (Physical possession is a given). This does limit the danger of this hack. I do keep Siri enabled on the lock screen, but turned off Control Panel. Siri stays.
All doable, if the user chooses. The more operations that are added increase the chance that Apple or any manufacturer will not have done whatever arcane testing that reveals all possible exploits. The good thing is once discovered, most if not all of these can and probably will be fixed with software or firmware updates.
I know, right?! Sometimes, a feature seems a likely target to exploit, but things like this would seem to be so random... I mean, do software engineers look at this and do a face palm saying 'Why didn't WE think of that??' or is the slider moved all the way from "D'oh" to "You have to admit it's a genius exploit!" in grudging admiration?
At least this is easy if inconvenient to thwart if Apple doesn't fix it with an update.
I hope Apple patch it soon because I like having Siri available from the lock screen.
In the meantime, as you say, it's easy to thwart.