The use of passcode for the protection of users’ data on iPhone Smartphone doesn’t protect users from the possibility that local ill-intentioned will access their data.
A new flaw allows bypassing the passcode protection, even when Touch ID is properly configured, and access photos and messages stored on the device.
The critical vulnerability affects the iOS 8 and newer versions of the Apple OS, including 10.2 beta 3. An attacker can bypass iPhone passcode and gain access to personal data on the device by exploiting the Apple personal assistant Siri.
The security issue has been discovered by EverythingApplePro and iDeviceHelps who made public it and published a video PoC of the hack.
The attacker needs the phone number of the target iPhone and access to the phone for a few minutes. If he doesn’t know the phone number, well Siri will reveal it with a simple query, “Who am I?”
Waiting for a fix, it is possible to protect the user’s device by disabling Siri on the lock screen, this means that the personal assistant will be accessible only after providing the iPhone passcode or the fingerprint.
Go to the Settings → Touch ID & Passcode and Disable Siri on the Lockscreen by toggling the switch to disable.
Another possibility consists in removing Photos access from Siri in this way:
Go to Settings → Privacy → Photos and then prevent Siri from accessing pictures.
Experts believe Apple will fix the issue in the next version of iOS 10.2.
(Security Affairs – iPhone 7, mobile)