The security researcher Benjamin Kunz Mejri from Vulnerability Laboratory has discovered an authentication bypass-sized hole in both iPhones and iPads running iOS 8 and iOS 9 that can be exploited by attackers to thwart lock screen passcode.
This threat is real people, there is a video of it and documentation available online. It’s all pretty technical but the upshot is the vulnerability lets an attacker bypass the lockscreen on handsets running iOS 8 and iOS 9.
It is important to highlight that the attacker requires physical access to an unlocked iOS device, for this reason the threat is considered not so critical.
“An application update loop that results in a pass code bypass vulnerability has been discovered in the official Apple iOS (iPhone5&6|iPad2) v8.x, v9.0, v9.1 & v9.2. The security vulnerability allows local attackers to bypass pass code lock protection of the apple iphone via an application update loop issue. The issue affects the device security when processing to request a local update by an installed mobile ios web-application.” states the technical description published by the vulnerability-lab.com.
The attacker can bring the iOS devices into an unlimited loop resulting in a temporarily deactivate of the pass code lock screen.
“Local attacker can trick the iOS device into a mode were a runtime issue with unlimited loop occurs. This finally results in a temporarily deactivate of the pass code lock screen. By loading the loop with remote app interaction we was able to stable bypass the auth of an iphone after the reactivation via shutdown button. The settings of the device was permanently requesting the pass code lock on interaction. Normally the pass code lock is being activated during the shutdown button interaction. In case of the loop the request shuts the display down but does not activate the pass code lock like demonstrated in the attached poc security video.”
The issue could be triggered by powering off the iOS device, upon reboot the passcode authentication feature remains disabled, allowing an attacker to access the device without providing the passcode.
The advisory describes the following attack scenario:
Kunz reported the vulnerability to the Apple Product Security Team in late 2015, but at the time I was writing the issue is still present.
Are you an iOS user? You should be careful when leaving the mobile device unattended.
(Security Affairs – iOS device, hacking)