Researchers are having a fun time with iOS 6.1 passcode locks this month, with Vulnerability Lab having discovered a second version of a vulnerability that lets a hacker slip past a lock screen to access a user’s contact list, voicemails and more.
The first vulnerability, which popped up on YouTube earlier in the month, entailed this laundry list of steps, brought to us courtesy of Naked Security’s Paul Ducklin:
- You need physical access to the device.
- You need manual dexterity or a fair bit of practice.
- You only get access to some of the data.
- You have to place a phony emergency call as part of the process.
The most recent vulnerability, described in a post on the Full Disclosure mailing list late last week by Benjamin Kunz Mejri – founder and CEO of Vulnerability Lab – and spotted by Threatpost’s Christopher Brook, adds on to the earlier exploit.
Both attacks require using the Emergency Call function in addition to the lock/sleep button and the screenshot feature.
When placing the emergency call, an attacker could cancel the call while holding the lock/sleep button in order to access data on the phone.
In this second version of the exploit, a hacker can also make the iPhone screen go black, thereby allowing him or her to plug the phone into a computer via USB and grab data off the device without a PIN or passcode credentials.
Here’s Mejri’s description of the bug, from his Full Disclosure post:
A code lock bypass vulnerability via iOS as glitch is detected in the official Apple iOS v6.1 (10B143) for iPad & iPhone.
The vulnerability allows an attacker with physical access to bypass via a glitch in the iOS kernel the main device code lock (auth).
The vulnerability is located in the main login module of the mobile iOS device (iphone or ipad) when processing to use the screenshot function in combination with the emegerncy call and power (standby) button. The vulnerability allows the local attacker to bypass the code lock in iTunes and via USB when a black screen bug occurs.
The vulnerability can be exploited by local attackers with physical device access without privileged iOS account or required user interaction.
Successful exploitation of the vulnerability results in unauthorized device access and information disclosure.
Exploiting this second bug still requires a certain degree of dexterity, if not a prehensile tail. But the bug still implies a risk to iOS 6.1 users’ data and Vulnerability Lab estimates it’s a high risk.
When the first vulnerability was discovered – also in iOS 6.1 – Apple told Macworld that a fix was in the works, though the spokesperson didn’t say when that would come.
But as Macworld noted, this isn’t the first time Apple has had to grapple with an iPhone password security flaw.
It got a fix out for a 2010 bug without a big time lag. Let’s hope it promptly gets a fix out for these two new bugs, as well.
While we wait, try to refrain from searching for, and replicating, the steps to the attack.
Bear in mind that, just as Paul Ducklin pointed out with regards to this month’s first iOS 6.1 bug, it’s not nice – and, at least in some, if not all areas, is illegal – to place bogus emergency calls.
Vulnerability image, courtesy of Shutterstock