Ways to bypass the iOS lock screen using Siri
Siri (Rus. Siri, bakr. Eng. Speech Interpretation and Recognition Interface) is a personal assistant and question-answer system developed for iOS. This application uses natural speech processing to answer questions and make recommendations. Siri adapts to each user individually, studying his preferences for a long time.
Siri was originally available on the App Store as an iOS app from Siri Inc. Soon, April 28, 2010, Siri Inc. was acquired by Apple Inc. But even before Apple bought Siri, it was announced that their software would be available for BlackBerry phones and Android phones, then these plans were canceled due to the purchase. Now Siri is an integral part of iOS and is available for most devices manufactured by the company: iPhone (4S and older), iPad (third generation and older, as well as all iPad mini devices), iPod touch 5g and Apple Watch. Despite this, hackers were able to adapt Siri for older models of devices. On November 8, 2011, Apple publicly stated that it has no plans to integrate Siri into older products due to the lack of background noise filtering chip.
A fresh way to bypass the lock screen once again proves the correctness of experts who recommend disabling the use of Siri with the active lock screen in order to avoid various problems. The problem was discovered by the bloggers EverythingApplePro and iDeviceHelps. The bug is present on the iPhone and iPad running iOS 8 and newer , including the latest iOS 10 . For the successful implementation of the attack, as usual, you will need physical access to the phone, and a working active Siri with the lock screen turned on.one
First, the attacker needs to know the phone number of the victim, and for this the Siri assistant is just needed: he needs to ask the question “ who am I? "( Who am I? ). Then, knowing the victim's number, the attacker must call her or initiate a call through FaceTime. It doesn't matter how the smartphone is blocked, with a password or using the Touch ID, when a call comes in, it will be possible to answer it. At this point, the attacker needs to click on the “Messages” icon and select a custom message, ostensibly to reply via SMS. Although the screen lock is still active, a window will open for typing a new message.2
Now the attacker will again need the help of Siri. You need to instruct the assistant to activate VoiceOver. This is the gesture-driven voice guidance function of the interface, without activating which the attack will not work.3
Returning to the message typing screen, the attacker will need to show some “manual dexterity”. You have to double-click on the input field of the recipient's name, while simultaneously clicking on any character on the keyboard. This may take several attempts, but if everything went well, the attacker would be able to type something arbitrary in the “To” field, although the initial message was meant specifically for the person who had just called the device.four
Since the attacker “unblocked” access to the “To” field, the entire address book of the victim is available to him. At this point, you can turn off VoiceOver, since it is no longer needed and pretty annoying.
In the contact list of the victim, you need to find an entry with the icon “i” , click on it, and then proceed to create a new contact.6
In addition to access to all contacts and photos of the victim, the attacker can also select any contact from the list and see all the dialogues that the owner of the device previously had with this user.
Demonstration of the attack performed by EverythingApplePro and iDeviceHelps:
The lock screen on iPhone 6S and 6S Plus devices can be bypassed, even if they are running the latest iOS 9.3.1. The defense can be fooled with Siri, which allows the attacker to access the list of contacts and photos of the victim.
Now Rodriguez found that the bypass lock is still relevant and can be implemented on the iPhone 6S and 6S Plus with support for 3D Touch. The problem applies to all devices running on iOS 9.2 and above, including iOS 9.3.1, released last week. The researcher has posted a proof-of-concept video, which can be seen below. The scheme of actions for exploiting the bug has changed a bit, this is what needs to be done to deceive iOS protection:one
Block the device.2
Call Siri and say “Search Twitter” (“Twitter Search”).
Siri will ask you what to search, you need to answer “at-sign Gmail dot com” (“@ gmail.com”) or call any other popular email domain. The point is to find tweets containing email addresses.four
After receiving the results, click on any tweet with a mailing address.four
Now we use 3D Touch on the email address to call the context menu.five
Select “Create New Contact”.6
Now you can add an image, that is, view all the images stored on the device.
If you use the “Add to Existing Contact” option, you can also view the entire list of contacts of the victim.
The researcher recalls that while the bug is not fixed, which means that anyone who has physical access to the smartphone, can get to personal data.
In iOS 9, a vulnerability was discovered that, if you have physical access to the device, allows you to bypass the protection of the operating system and in 30 seconds just get access to someone else's contacts and photos.
Any device running iOS 9 is vulnerable to this bug (iPhone, iPad or iPod touch), even protected Touch ID. The intruder will be able to bypass the device password ... a Siri personal assistant.one
"Wake up" the device and type the password incorrectly 4 times.2
During the fifth attempt to enter a password, enter 3 or 5 characters (depending on how long the password is). Instead of entering the last character, press and hold the Home button to trigger Siri. At the same time, enter the last character of the password.3
If everything is done right, Siri will appear. Ask the assistant what time it is.four
Click on the Clock icon to open the Clock application and choose to add a new clock (new Clock). In the “Choose a City” field, type any random rubbish.four
Double-click on the typed word to bring up the copy & paste menu, “Select All” (Select All), and then click on “Share”.five
In the options of sharing, click on the “Message” (Message) and again type something on the keyboard, then click “Return” (Return) and twice on the contact name on the top.6
Select “Create New Contact”, click “Add Photo”, and then “Choose Photo” (Choose Photo).7
Now you can see the entire image library of the device, which, between others, is still locked with a password.
The video demonstrates the described method in action:
While Apple has not fixed this bug, but you can defend yourself. To protect against hacking, users are once again recommended to turn off Siri assistant if the phone is locked . This can be done in the settings ( Settings> Touch ID & Passcode ). There is no official fix for the vulnerability yet.