Ways to bypass the iOS lock screen using Siri
Siri (Rus. Siri, bakr. Eng. Speech Interpretation and Recognition Interface) is a personal assistant and question-answer system developed for iOS. This application uses natural speech processing to answer questions and make recommendations. Siri adapts to each user individually, studying his preferences over time.
Siri was originally available on the App Store as an iOS app from Siri Inc. Soon, April 28, 2010, Siri Inc. was acquired by Apple Inc. But even before Apple bought Siri, it was announced that their software would be available for BlackBerry phones and Android phones, then these plans were canceled due to the purchase. Now Siri is an integral part of iOS and is available for most devices manufactured by the company: iPhone (4S and older), iPad (third generation and older, as well as all devices of the iPad mini line), iPod touch 5g and Apple Watch. Despite this, hackers were able to adapt Siri for older models of devices. On November 8, 2011, Apple publicly stated that it has no plans to integrate Siri into older products due to the lack of background noise filtering chip.
A fresh way to bypass the lock screen once again proves the correctness of experts who recommend disabling the use of Siri with the active lock screen in order to avoid various problems. The problem was discovered by the bloggers EverythingApplePro and iDeviceHelps. The bug is present on the iPhone and iPad running iOS 8 and newer , including the latest iOS 10 . For the successful implementation of the attack, as usual, you will need physical access to the phone, and a working active Siri with the lock screen turned on.one
First, the attacker needs to know the phone number of the victim, and for this the Siri helper is just needed: he needs to ask the question “ who am I? "( Who am I? ). Then, knowing the victim's number, the attacker must call her or initiate a call through FaceTime. It doesn't matter how the smartphone is blocked, with a password or using the Touch ID, when a call arrives, you will be able to answer it. At this point, the attacker needs to click on the “Messages” icon and select a custom message, ostensibly to reply via SMS. Although the screen lock is still active, a window for typing a new message will appear.2
Now the attacking side will again need the help of Siri. You need to instruct the assistant to activate VoiceOver. This is the gesture-driven voice guidance function of the interface, without activating which the attack will not work.3
Returning to the message typing screen, the attacker will need to show a bit of “manual dexterity.” You have to double-click on the input field of the recipient's name, while simultaneously clicking on any character on the keyboard. This may take several attempts, but if everything went well, the attacker would be able to type something arbitrary in the “To” field, although the original message was meant specifically for the person who had just called the device.four
Since the attacker “unblocked” the access to the “To” field, the entire address book of the victim is available to him. At this point, you can turn off VoiceOver, since it is no longer needed and pretty annoying.
In the contact list of the victim, you need to find an entry with the icon “i” , click on it, and then proceed to create a new contact.6
In addition to access to all contacts and photos of the victim, the attacker can also select any contact from the list and see all the dialogues that the owner of the device previously had with this user.
Demonstration of the attack performed by EverythingApplePro and iDeviceHelps:
The lock screen on iPhone 6S and 6S Plus devices can be bypassed, even if they are running the latest iOS 9.3.1. The defense can be fooled with Siri, which allows an attacker to gain access to the list of contacts and photos of the victim.
Now Rodriguez discovered that the bypass lock is still relevant and can be implemented on the iPhone 6S and 6S Plus with 3D Touch support. The problem applies to all devices running on iOS 9.2 and above, including iOS 9.3.1, released last week. The researcher published a proof-of-concept video, which can be seen below. The scheme of actions for exploiting the bug has changed a bit, this is what needs to be done to fool iOS protection:
Lock the device.2
Call Siri and say “Search Twitter” (“Twitter Search”).3
Siri will ask you what to look for, you need to answer “at-sign Gmail dot com” (“@ gmail.com”) or call any other popular email domain. The point is to find tweets containing email addresses.four
After receiving the results, click on any tweet with a mailing address.four
Now we use 3D Touch on the email address to call the context menu.five
Select “Create New Contact”.6
Now you can add an image, that is, view all the images stored on the device.
If you use the “Add to Existing Contact” option, you can also view the entire list of contacts of the victim.
The researcher recalls that while the bug is not fixed, which means that anyone who has physical access to the smartphone, can get to personal data.
In iOS 9, a vulnerability was discovered that, if you have physical access to the device, allows you to bypass the protection of the operating system and in just 30 seconds to gain access to someone else's contacts and photos.
Any device running iOS 9 is vulnerable to this bug (iPhone, iPad or iPod touch), even protected Touch ID. The intruder will be able to bypass the device password ... a Siri personal assistant.one
"Wake up" the device and type the password incorrectly 4 times.2
During the fifth attempt to enter a password, enter 3 or 5 characters (depending on how long the password is). Instead of entering the last character, press and hold the “Home” button to trigger Siri. At the same time, enter the last character of the password.3
If everything is done right, Siri will appear. Ask the assistant what time it is.four
Click on the Clock icon to open the Clock application and choose to add a new clock (new Clock). In the field “Choose a city” (Choose a City), type any arbitrary nonsense.four
Double-click on the typed word to bring up the copy & paste menu, “Select All” (Select All), and then click on “Share”.five
In the options of sharing, click on the “Message” (Message) and again type something on the keyboard, then click “Return” (Return) and twice on the contact name on the top.6
Choose Create New Contact, click Add Photo, and then Choose Photo.7
Now you can see the entire image library of the device, which, between others, is still locked with a password.
The video demonstrates the described method in action:
While Apple has not fixed this bug, but you can defend yourself. To protect against hacking, users are once again recommended to turn off Siri assistant if the phone is locked . This can be done in the settings ( Settings> Touch ID & Passcode ). There is no official fix for the vulnerability yet.