Watch out, iDevice owners!
Siri has opened the pod bay door to let snoopers in.
Barely a week after the release of iOS 9, a hacker has found a way for snoops to access your contacts and photos and send messages without your passcode.
The bug affects iOS 9 and iOS 9.0.1 on iPhones, iPads and iPods.
The security flaw allows a malcontent with physical access to your iDevice to use Siri to bypass Apple’s Lock screen – even if you have set up Touch ID with your fingerprint.
→ Touch ID doesn’t help here. When you set up Touch ID, iOS requires you to have a passcode too, and you can always tell the Touch ID login process that you want skip trying your fingerprint and use your passcode instead. From that point, you can use this hack.
We’re not going to explain exactly how you can get around the lock screen, because Apple hasn’t fixed the bug yet – we’re sure you can see it demonstrated elsewhere if you really need to know.
In general terms, the bug allows you to bypass the lock screen by entering an incorrect passcode several times and then asking Siri to open the clock app.
Popping up the clock app at the lock screen sounds like a low-risk feature, not least because the lock screen displays the time and date anyway.
But from the clock, a snoop can use some trickery to access iMessage, and that opens the door to contacts and photos.
An intrepid member of our Naked Security team tried this Siri-enabled hack, and managed to get it to work on an iPhone 6 running iOS 9.0.1. (He tried with both a 6-digit numeric and an 8-character alphanumeric code.)
What are the risks?
One of the more worrying consequences, aside from the fact that hackers can access all your selfies, screenshots, family photos and so on, is that a crook can get into iMessage and send text messages in your name to your contacts.
We can imagine a bunch of ways this could be dangerous, from “mugged abroad” scams that could cost you $800, all the way to the sort of password phishing and social engineering that recently cost a Bitcoin exchange called BitPay $1.8 million.
When I contacted the bug finder Jose Rodriguez on Twitter, he told me that he posted his video demonstrating the hack because he was “upset with Apple product security.”
Rodriguez messaged me screenshots of emails he sent to Apple product security (and one to Apple CEO Tim Cook) about the bug – he told me he alerted Apple two days before iOS 9 came out on 16 September.
Yet Rodriguez posted his video to YouTube on 19 September – five days after telling Apple about the security hole – which wasn’t much time at all for Apple to fix the bug.
Regardless, this “zero-day” lock screen hack is now widely known.
Why the flaw?
Beyond the questions this raises about responsible disclosure of vulnerabilities, we should ask why this serious security flaw exists in the first place.
Part of the problem is having Siri accessible from the lock screen – indeed, we’ve seen quite a few security holes in earlier versions of iOS where Siri gave up access to the device without the passcode.
This iOS 9 lock screen bug isn’t quite as bad as the recently fixed lock screen bypass in Android Lollipop, which could give a hacker access to everything on your device.
But the two bugs are similar: on iOS 9, accessing Siri from the lockscreen opens the door; on Android 5.x, the camera app on the lockscreen is the problem.
As my colleague Paul Ducklin observed, having a lock screen really ought to mean that your device is locked, not sitting there with the front door closed but the cat flap open.
What to do?
Our advice: reduce your attack surface right away.
Apple and Google don’t want to let you turn off the camera on your lock screen, so you’re stuck with a “cat flap” for the camera on both platforms, but we strongly recommend that iDevice owners at least turn off Siri on the lock screen.
How to disable Siri on the lock screen
Go to Settings | Touch ID & Passcode, and under Allow Access When Locked, toggle Siri off:
Some other settings you may want to consider while you’re about it, as configured in the screenshot above (yes, that’s a Naked Security iPhone):
- Set Require Passcode to Immediately.
- Turn off everything you can under Allow Access When Locked.
- Enable Erase Data after 10 failed passcode attempts.
How to turn Siri off altogether
You may want to go all the way, and turn Siri off altogether.
Go to Settings | General | Siri and toggle to off:
For more advice on what to do when you review your phone’s security settings, please take a look at our popular article, Privacy and Security on Your Phone. (Covers iOS, Android and Windows Phone.)