Apple rolled out iOS 9.0.1 on Wednesday, Sept. 23, in the hopes of patching a handful of bugs and security flaws found in iOS 9. However, a video demonstration posted on YouTube shows another lockscreen bypass vulnerability that iPhone users should need to watch out for, as it allows attackers to access their messages, photos, as well as contacts with the use of Siri.
A YouTube user with the handle videosdebarraquito posted the video demonstrating how the attack can be performed.
Following is a rundown of keystrokes explaining how hackers can access users' private communications, images and contacts without a password, based on the posted video.
- The hacker enters a wrong four-digit password for four times.
- On the fifth attempt, the hacker enters two numbers, then quickly holds down the home button while entering the other two digits.
- Siri then pops up and the hacker uses it to bring up the built-in clock.
- Upon tapping the clock, the attacker presses the + icon, allowing access to search capabilities.
- From there on, the hacker gets an unrestricted access to the user's iMessage.
- Once the hacker has accessed iMessage, it is now possible to read, delete or even add contacts.
- By adding a profile, the hacker can also gain access the user's photos saved on the iPhone.
While some people report they successfully carried out the hack, others, however, say the hack does not work.
In performing the attack, the hacker has to be fast. This means that the hack will not work if the hacker's timing is off.
The good thing is iPhone users can also prevent the attack. This is done by preventing Siri from being accessed via the lockscreen. Here is how to do that:
- Go to settings.
- Select "Touch ID and Passcode."
- Key in the device's password.
- Look for the "Allow access when locked."
- Disable it by sliding the toggle next to Siri to off.
Some YouTube users, though, point out that the video might be fake and the attacker on the video used a Touch ID, which perhaps would have made the attack successful.
"Ok. I just tried with my iPhone 5S with iOS 9.0.1. I have TouchID off on my phone and the 'hack' does not work," commented a YouTube user with the handle multimediavt. "I am pretty sure that the person in the video accidentally logged his iPhone in with TouchID during the process."
Below is the YouTube video that has made the rounds over the Internet.