Vulnerabilities in Appleâs iOS lock screens have become a fixture of new iOS releases over the past few years, and iOS 7 is not exempt. A new method for bypassing the passcode on a lock screen has been discovered by idle hands and reported by Forbesâ Andy Greenberg [1] .
The lock screen bypass method involves sliding up Control Center, tapping on the timer button and holding down the power button until the cancel option comes up. You then tap on the cancel button then double-tap the home button. This gives you access to the multitasking UI. While most apps are locked out, the Camera option is accessible.
This allows you to access the camera interface, but with the ability to scroll through all of the ownerâs photos, not just the ones shot in the time since the phone was last locked â" in the manner that the camera has worked for some time now.
Not only can you scroll through the photos, but you can also tap on the share button to send photos out via email or social channels like Twitter or Facebook. So once youâre in you can post photos to Flickr or send them via email. Though Greenberg characterizes this as âhijackingâ those accounts, that seems a bit dramatic. Still, there is potential for embarrassment or harm if sensitive (ahem) photos get stolen or shared out through your social accounts.
The bypass method has been verified by us to work properly and to not be overly difficult to execute. It took me about three tries to get it right on an iPhone 5 running iOS 7. As Greenberg notes, itâs hard to tell whether this works on an iPhone 5c or iPhone 5s as of yet.
Note that this vulnerability is incredibly easy to prevent for now. Just visit Settings>Control Center and toggle off âAccess on Lock Screenâ to patch it up.
The discovery was made by Jose Rodriguez, a soldier in Spainâs Canary Islands, who has a history of discovering these tricky bypass methods. His secret? Plenty of time waiting in cars in his former job as a driver for government officials.
Weâve reached out to Apple for more information on this and when a fix might be available. We will update this story if we receive a reply. With past vulnerabilities, a software fix has come in a âpointâ release of iOS 7. iOS 7.0.1 is already floating out there and contains a fix for Appleâs TouchID fingerprint scanner. So any fix for this would likely come in iOS 7.0.2 or later.
Apple has added a variety of security features to iOS 7, including Activation Lock, which renders stolen phones unusable, even if theyâre wiped. But it looks like it needs another lock screen audit just to be sure.
No comments:
Post a Comment