2 min read

Once again, Siri helps attackers bypass your iPhone's passcode

Graham CLULEY

November 17, 2016

Once again, Siri helps attackers bypass your iPhone's passcode

Over the years iPhones and iPads have been plagued on many occasions by passcode bypasses – a secret method that allows an attacker to unlock your iOS device and access your private data.

It would be nice to think that as we’re now up to iOS 10 that Apple would have prevented such bypasses from working once and for all. But no such luck – for users who have left Siri enabled from the lockscreen at least.

Here is how an attacker could break into your iPhone, even if you have a passcode or Touch ID turned on.

First of all, they need physical access to your switched-on device.

Then, they need to know your phone number. Now, they might know your phone number because they’re an acquaintance of yours, but even if they don’t it’s not a problem. Because all they need to do is activate Siri by holding down the iPhone button’s and ask “Who am I?”

Siri helpfully tells you the phone number being used by the device.

With that information you’re only a few steps away from accessing the owner’s personal photographs, address book and messages.

1. Call the targeted phone.

2.On the targeted phone, click the Message icon and choose to send a custom message as a reply to the incoming call.

3. Tell the phone, via Siri, to “Turn On VoiceOver”. VoiceOver is a built-in iOS feature that provides a gesture-based screen reading functionality to visually-impaired users.

4. Return to the message screen and double-click on the bar where the contact info is displayed, and immediately click on the on-screen keyboard. This may take multiple attempts to get the timing right, but you will know you’ve succeeded when you see the “Photo” icon and other options slide in from the side above the keyboard.

5. You can ask Siri to disable VoiceOver at this stage (because it can be quite irritating!), and after typing characters into the top bar you should be able to access contact details, and create a new contact.

6.Rather than add a new contact’s details, select the “Photo” icon. You should now be able to choose Add Photo and find that you have access to the targeted device’s photo gallery. Selecting contacts on the device should reveal past messages that have been exchanged with the phone’s owner.

So much for it being locked…

The following YouTube video demonstrates the technique, through which an iPhone user’s private photos can be accessed.

As the video points out, the passcode bypass works on iPads just as well as iPhones running the latest version of iOS.

Chances are that Apple will release a security update in due course to shut down this latest passcode bypass, but it would be a brave man who placed money on Apple never suffering from a similar security goof in future.

My advice, therefore, is that you should simply disable Siri on your iDevice’s lockscreen. You can do that by going to Settings / Touch ID & Passcode / Disable Siri on the Lockscreen

Of course, *not* having Siri available when your iPhone is unlocked can be an inconvenience. But remember it’s an even bigger inconvenience for someone who is trying to break into your Apple gadget to find out who you have been communicating with, or snoop on your private photos.

tags


Author



Right now

Top posts

E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

July 29, 2021

5 min read
Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read
The Top Five Security Risks Smartphone Users Face Today

The Top Five Security Risks Smartphone Users Face Today

July 02, 2021

4 min read
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

July 02, 2021

3 min read
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

June 30, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

The Perils of Online Dating: Spotting Romance Scammers Before They Break Your Heart and Your Bank Account The Perils of Online Dating: Spotting Romance Scammers Before They Break Your Heart and Your Bank Account
Alina BÎZGĂ

August 05, 2021

3 min read
Google Fixes Five High-Severity Flaws in Chrome 92 for Windows, Mac and Linux Google Fixes Five High-Severity Flaws in Chrome 92 for Windows, Mac and Linux
Filip TRUȚĂ

August 05, 2021

1 min read
Google Drops All Support for Android 2.3.7 and Older Google Drops All Support for Android 2.3.7 and Older
Silviu STAHIE

August 04, 2021

1 min read