iOS 9 hack lets anyone see all photos and contacts even if phone is locked

An exploit using Siri allows people to get around the iPhone’s security measures — but it’s easy to patch up, until Apple rolls out a proper fix

Andrew Griffin
Thursday 24 September 2015 06:20 EDT
Comments
A customer looks at the new Iphone 6 Plus at the launch of the new Apple iPhone 6 and iPhone 6 plus at the Apple Omotesando store on September 19, 2014 in Tokyo, Japan
A customer looks at the new Iphone 6 Plus at the launch of the new Apple iPhone 6 and iPhone 6 plus at the Apple Omotesando store on September 19, 2014 in Tokyo, Japan (Chris McGrath/Getty Images)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

A bug in iOS 9 lets anyone see all of a person’s pictures or contact information, even if they have locked their phone.

A very quick workaround, which uses Siri, lets people into the phone even if the passcode and Touch ID fingerprint sensor is turned on.

To exploit the bug, would-be hackers repeatedly mash the numbers on the passcode screen until the iPhone threatens to lock the user out. Speaking to Siri to help open the Clock app, and then clicking through, allows people unfettered access to the Photos and Contacts app, potentially making available personal data.

The exploit has been shown in a proof-of-concept video by Jose Rodriguez, who has a track record of finding similar bugs in iOS. Rodriguez confirmed that the phone was not his to Apple Insider.

The bug can be easily prevented by heading to Settings and choosing Touch ID & Passcode. Turning off Siri when the phone is locked stops the hack from working.

Another way of keeping the phone safe is by using a longer, alphanumeric password, rather than the four or six digit passcodes that are set up by default.

The problem does not seem to have been fixed in iOS 9.0.1, the recently rolled out update to the system.

Similar bugs have been found in various first updates to iOS — versions 7, 6 and 4 were all initially vulnerable to similar hacks. Since the iPhone’s lock screen is the main defence against people getting unwanted access to the phone, it has become a particular target for hackers.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in