Sophos Cloud Optix
Researchers are having a fun time with iOS 6.1 passcode locks this month, with Vulnerability Lab having discovered a second version of a vulnerability that lets a hacker slip past a lock screen to access a user’s contact list, voicemails and more.
The first vulnerability, which popped up on YouTube earlier in the month, entailed this laundry list of steps, brought to us courtesy of Naked Security’s Paul Ducklin:
- You need physical access to the device.
- You need manual dexterity or a fair bit of practice.
- You only get access to some of the data.
- You have to place a phony emergency call as part of the process.
The most recent vulnerability, described in a post on the Full Disclosure mailing list late last week by Benjamin Kunz Mejri – founder and CEO of Vulnerability Lab – and spotted by Threatpost’s Christopher Brook, adds on to the earlier exploit.
Both attacks require using the Emergency Call function in addition to the lock/sleep button and the screenshot feature.
When placing the emergency call, an attacker could cancel the call while holding the lock/sleep button in order to access data on the phone.
In this second version of the exploit, a hacker can also make the iPhone screen go black, thereby allowing him or her to plug the phone into a computer via USB and grab data off the device without a PIN or passcode credentials.
Here’s Mejri’s description of the bug, from his Full Disclosure post:
A code lock bypass vulnerability via iOS as glitch is detected in the official Apple iOS v6.1 (10B143) for iPad & iPhone.
The vulnerability allows an attacker with physical access to bypass via a glitch in the iOS kernel the main device code lock (auth).
The vulnerability is located in the main login module of the mobile iOS device (iphone or ipad) when processing to use the screenshot function in combination with the emegerncy call and power (standby) button. The vulnerability allows the local attacker to bypass the code lock in iTunes and via USB when a black screen bug occurs.
The vulnerability can be exploited by local attackers with physical device access without privileged iOS account or required user interaction.
Successful exploitation of the vulnerability results in unauthorized device access and information disclosure.
Exploiting this second bug still requires a certain degree of dexterity, if not a prehensile tail. But the bug still implies a risk to iOS 6.1 users’ data and Vulnerability Lab estimates it’s a high risk.
When the first vulnerability was discovered – also in iOS 6.1 – Apple told Macworld that a fix was in the works, though the spokesperson didn’t say when that would come.
But as Macworld noted, this isn’t the first time Apple has had to grapple with an iPhone password security flaw.
It got a fix out for a 2010 bug without a big time lag. Let’s hope it promptly gets a fix out for these two new bugs, as well.
While we wait, try to refrain from searching for, and replicating, the steps to the attack.
Bear in mind that, just as Paul Ducklin pointed out with regards to this month’s first iOS 6.1 bug, it’s not nice – and, at least in some, if not all areas, is illegal – to place bogus emergency calls.
Vulnerability image, courtesy of Shutterstock
I gotta be honest. I don't think I really care. I mean, it requires physical access to the device and time to play around with it.
1) I don't let anyone touch my phone
2) if someone does manage to snatch it, I'm going to notice very quickly and can wipe the device using Find My iPhone.
Having the remote-wipe option is indeed a good measure against this sort of thing……but only if the owner made sure it is enabled, and knows how to use it.
Besides that…was it not on 5 December, 2012 that Sophos published an article "Exploit kits, the biggest threat on the web, are being fed by whitehat security researchers," which indicated that most of the exploits and whatnot being used in kits are a result of "research" from "white hat" hackers.
That being said, the question arises: "Who would have known about this iOS hack if folks wouldn't have published their findings on the Internet?" If their intent was to PREVENT this from happening, why not just report to Apple and keep things on the down-low until Apple releases its next iOS update?
Companies generally don't fix issues unless you provide them a disclosure date of the issue. In return many researchers don't release specifics until the fix is compelted.
If you have jailbroken your device, You can install “disableEmergency” from the bigboss repo, It will work as a temporary fix until apple patch it.
NOTE: It will of course disable the emergency button. (not a problem providing you have the access code to enter the device)
Can you still place emergency calls without a sim card in the phone?
If not can you still perform this hack without a sim card safe from accidently calling the hard working emergency services of your respective country?
Yes, you can still place emergency calls without a sim card.
By the way, I just tested this on my work iPhone 4, and was able to call my partner – once she accepted my call I was able to release the power button and get into the status bar – which allowed me to open my emails, calendar, and MSN Messenger!
The Home button doesn't work as it usually does in this state – so you can only access additional items via the status bar, but the phone also doesn't automatically lock in this state, the screen goes to sleep but never actually locks. So once an attacker performed this they could access all of your emails and so on without even needing to run the passcode hack again.
So this is much more than just a contacts and voicemail compromise – you can access a lot of personal data including email and instant messages (and any other apps that report status items to the status bar – eg stock ticker, etc)!