New Lock screen bug bypasses iPhone/iPad passcode, lets you see photos/contacts

By , Nov 17, 2016

iOS 10 Photos iPhone screenshot 001

Apple likes to pride itself with strong security in iOS, but for all the platitudes the fact remains that the iPhone’s Lock screen is one of iOS’s weakest links. And now, YouTuber iDeviceHelp has discovered a new Lock screen vulnerability that lets anyone in possession of your iPhone bypass the passcode and get to your contacts and photos. The bug has been reported to Apple and should be fixed in a future update.

The trick involves calling another person’s mobile phone number via FaceTime or cellular and tapping the Message option on their device to get to the Messages screen.

From there, you’ll use Siri to enable VoiceOver which lets you exploit the vulnerability and gain access to the Photos library and contacts. The method is a bit finicky as you’ll need to get the timing of your taps right but once you get the hang of it, it’ll work like a charm.

After a few tries, I was able to successfully reproduce the steps outlined in EverythingApplePro’s how-to video to confirm that it works as advertised on an iPhone 7 running iOS 10.1.1. I could browse all of the photos even though the phone was locked the whole time.

How to unlock any iPhone photos without a passcode

1) Press and hold the Home button on the device you want to break into and ask Siri, “Who am I?”. A contact card goes up letting you see a person’s mobile phone number and any email addresses associated with iMessage (if they disabled Siri access on the Lock screen, you’ll be out of luck).

2) From your own iPhone, iPad or iPod touch, launch FaceTime and call the persons’s number.

3) When their device starts ringing, tap the Message option on the Lock screen and select the option in the popup menu labeled Custom…

how to set auto-reply Messages

4) A Messages sheet pops. You’ll notice that the TO field is pre-populated with the caller’s contact information. Now press and hold the Home button and ask Siri to “Turn on VoiceOver”.

iOS 10 Siri VoiceOver enabled iPhone screenshot 002

5) With the VoiceOver feature turned on, double tap the TO field at the top with the caller’s information, then immediately tap anywhere on the keyboard. Make sure you double tap the empty section, not the name.

Screen Shot 2016-11-17 at 21.00.28

You want the three icons (Camera, iMessage Apps and App Store) on the left of the Messages text field to appear right after tapping the keyboard. It’ll certainly take a few tries until you get this right.

Screen Shot 2016-11-17 at 21.01.01

After the icons show up, VoiceOver’s focus should remain on the TO field at the top.

6) If you see both a black rectangle around the TO field and the three icons to the left of the Messages text field, invoke Siri again and tell her to “Disable VoiceOver”.

iOS 10 Siri VoiceOver enabled iPhone screenshot 001

7) Due to a bug in iOS, anything typed on the keyboard at this point will be directed to the TO field where it shouldn’t really be sent. This has some unintended consequences, as you’ll see later. Now tap a key, any key on the keyboard and see if Messages displays any matching contacts with an “i” icon next to them.

If not, tap another key and so forth.

8) Tap “i” next to a contact to get to their full contact card.

9) You’re on the contact card screen. Now scroll down and tap Create New Contact.

10) On the New Contact screen, tap Add Photo below the mugshot icon, then tap Choose Photo. And there you go: you’ve just accessed all of the photos on the person’s iPhone, without a passcode.

If you inspect the iOS status bar closely, you should see the padlock icon.

Although the device is locked, you can tap All Photos or Camera Roll to see the complete Photos library. You can even see their Recently Deleted album and browse their hidden shots and videos.

Of course, we don’t expect anyone to exploit this vulnerability for nefarious purposes aside from perhaps pranking your friends or making sure your significant other is not cheating on you.

Just kidding, we do not condone privacy breaches of any sort. The contents of any person’s iPhone are their business, not yours. Just because there’s a bug in iOS that makes it possible to bypass the Lock screen doesn’t mean you should take advantage of it and sniff around other people’s phones.

Obviously, you can protect yourself quite easily from this bug until a patch is released—just disable access to Siri and the Reply with Message feature from the Lock screen. Go to Settings → Touch ID & Passcode and slide Siri and Reply with Message toggles below the Allow Access When Locked headline to the OFF position.

iOS Siri Reply with Message Lock screen disabled iPHone screenshot 001

This should ensure that no one will be able to invoke Siri on the Lock screen to find out your mobile phone number or use the Message option when the phone call comes in to get to your photos.

As mentioned, this significant security leak has already been reported to Apple and is likely going to be fixed in a future iOS software update. So how far back does this go? According to the poster, the vulnerability is exploitable on the latest iOS 10.2 beta 3 as well as iOS builds for older devices.

It even works on iPads and the iPhone 4s.

That’s kinda of a big deal because Apple officially no longer supports the iPhone 4s meaning it stopped releasing any updates for it beyond iOS 9.3.5. However, this newly found Lock screen bypass will likely be fixed for iPhone 4s owners in the form of iOS 9.3.6 or a quick emergency update.

Have any of you guys ben able to reproduce this obvious bug in iOS?

And if so, what did you think of it?

Source: iDeviceHelp on YouTube

  • Share:
  • Follow:
  • Stephen Hedger

    Sorry to piss on your fire but on ios10 Siri says they don’t know who I am and the settings option it asks me to enter is protected by a passcode.

    So my device is secure!

    Maybe this bug is ios8?

    • This was reproduced on iPhone 7 running iOS 10.1.1. Took a few tries but it did work.

    • mahe

      The “who I am” stuff is only needed to get the phone number and/or email-address to call the locked phone.
      If you have the number you can skip that, as you can see in the video.

      • Matt

        Hell, you won’t even need the number. You can pop out the sim card, insert yours in place of the owner’s, then call yourself from another phone.

        I understand this isn’t practicle but it is possible if you have no other way to get in the phone

      • mahe

        Ha!
        Didn’t think about that 😀

  • pnh

    Whoever found this has WAY too much time on their hands.

    • lookHOWMADheis

      I’m sure it was a female who found this out !

    • :D

      Probably found it by accident

    • Diego Milano

      Whether they have tons of time or not, that’s not the point, haha. The point is thanks to these individuals our devices are more secure since Apple will patch this quickly.
      What IS evident here is that Siri is probably the most recurring vulnerable portion of iOS and the guy at EverythingApplePro has posted a lot of these vulnerabilities for ages!

  • Ds

    So if you have Siri disabled you should in theory be safe?

  • Junior W.

    How do they discover these bugs? Who has time to try all that, jeez.

    • Diego Milano

      Like someone said, it was probably found by accident and then when they realized, they then tried to reproduce it, which is what we see above. 🙂 It’s nuts, I know, haha.

  • Scott Curry

    I think I’ll just continue to make sure no one else has physical access to my devices…

    • techfreak23

      lol right? Chances are you will NEVER see this in the wild actually being used by someone.

    • Diego Milano

      The iPhone will hopefully get to be more secure once they add iris scanning to it, but as usual, something else will come up.

  • Mike T4

    Doubtful this will be fixed for 4s

    • Diego Milano

      😛

  • mahe

    It’s enough to turn off “answer with message” in the TouchID & Code settings.
    You don’t need to turn off Siri on the lockscreen (but I would suggest to never allow Siri on your lockscreen, for security reasons)

  • Chris

    I think most people would just give us given how many steps are needed. I would just take the person’s hand and direct it towards their TouchID sensor.

    But that’s just me.

    • thunderqus

      good luck doing that on unattended phone 😉

  • 7000rpm

    Whats the option home control ?

  • Mr_Coldharbour

    I cannot believe this is happening again. I remember this also happened in iOS 8 as well as iOS 9. Well, I never use Siri or VoiceOver or Voice Control. In fact, since iOS 10.2 beta introduced the option disable any Siri-like features from long-pressing on the Home Button, I immediately enabled that feature so that long-pressing on the Home Button doesn’t trigger any Siri or Voice Control features.

  • Rowan09

    As some people already asked how do people find these things? Maybe they see a way by looking at the coding, but if someone just kept on trying to see if it work, they deserve a job at Apple or at least Best Buy.

    • thunderqus

      why best buy?

      • Rowan09

        Because if they can’t be a Genius maybe they can be Geek Squad. I was just kidding.

    • Diego Milano

      The guy at EverythingApplePro has spotted a lot of these vulnerabilities and he sometimes tries them in realtime as he is showing the new releases of iOS coming out; I bet he’s got a list of these written down somewhere and he tries from time to time every time a new iOS iteration is out. Or not. 😛

  • Bibibombibi

    Glad that I have SIRI turned off because I don’t like to use voice assistance….

    • Diego Milano

      Glad to read this! Are you and I the only ones around here who don’t care about Siri? If everyone used Siri in a public place, it would be stupid. 😛

  • Dilir Daiyan Aranna

    Or Just turn off Siri on Lock Screen?

    • techfreak23

      Or just don’t let anyone else touch your phone?