Access Private Photos and Contacts Without a Passcode on iOS 9 devices

Pierluigi Paganini September 22, 2015

A hacker has found a way to access images and contacts stored on Apple iOS 9 devices even if they are protected with a passcode or Touch ID.

A few hours ago I have posted the news on the decision of the Security firm Zerodium to pay a 1 Million Dollars prize for zero-day exploits and jailbreak for the newborn iOS 9.

Now I discover that it is quite easy to access user’s personal photos and contact list stored in the iOs devices running iOS 9. According to colleagues at THEHACKERNEWS, a hacker has found a method to access private data even if the mobile device is protected with a passcode or Touch ID.

The hacker explained that using the Apple’s personal assistant Siri it is possible to access data on the mobile device running iOS 9 less than 30 seconds.

ios 9

Below the detailed instructions to bypass the passcode:

  • Take the Apple device running the iOS 9  and enter an incorrect passcode four times.
  • Depending on the length of your passcode, for the fifth attempt enter 3 or 5 digits and for the last one, press and hold the Home button to run Siri immediately followed by the 4th digit.
  • Once Siri appears, ask the assistant for the time.
  • Tap the Clock icon to open the Clock app, and add a new Clock, then write anything in the Choose a City field.
  • Now double tap on the word you wrote to invoke the copy & paste menu, Select All and then click on “Share”.
  • Tap the ‘Message’ icon in the Share Sheet, and again type something random, hit Return and double tap on the contact name on the top.
  • Select “Create New Contact,” and Tap on “Add Photo” and then on “Choose Photo”.
  • At this point, you’ll now be able to access the entire photo library on the iOS device, which is still locked with a passcode. Now browse and view any photo from the Photo album individually.

Below the video proof of concept for the trick.

Despite such kind of hack doesn’t match the “Eligibility / Conditions” announced by Zerodium, it is interesting to note that is quite easy to bypass the basic security measures implemented by the IT giant for its new born iOS 9

Waiting for a patch, iOS users can disable Siri on the lock screen by modifying the settings of the device from

Settings > Touch ID & Passcode

Once disabled, users will be anyway able to continue using Siri after unlocked their iOS 9 based device.

Edited by Pierluigi Paganini

(Security Affairs – iOS 9, hacking)

you might also like

leave a comment