If you have an iPhone running iOS 9, you should be aware that it may be possible to access your photos and contacts on a locked device, even with a passcode and/or Touch ID enabled. I’ve always ignored reports on this sort of security flaw, because they always seem to pop up with every iOS iteration, and almost always require a user to jump through what seems like a million hoops.
But for some reason—call it boredom, or call it poor judgement—I got curious, and decided to try this out for myself. As it turns out, it’s not that hard to do, and it certainly seems like a security flaw in iOS to me.
I debated on whether to post this, because obviously it’s going to bring attention to a security flaw that might let people access information that they shouldn’t be accessing.
For starters, please don’t get bent out of shape over this. This does not expose any other contents of your iPhone outside of Contacts and Photos. People still can’t unlock your device, read your messages, watch videos, etc. This only allows users to view your contacts, and look at your photos (not videos) through a limited interface. Photos cannot be forwarded or shared from your iPhone.
My hope is that a). this informs users that a passcode or Touch ID security isn’t necessarily enough to keep unwanted eyes off your photos and contacts, and b). Apple will see this and provide a fix. c). show you how to prevent the issue.
The thing is, this information is already out there, and the people who will use it for the bad probably already know about it. Consider this post an attempt to educate those who do not know about this iOS 9 security hiccup. Hopefully, it’ll allow users to make smarter decisions about their iPhone’s security.
Here’s how the security flaw works
Step 1: Enter four different incorrect passcode (iOS 9 temp-locks you out after the fifth incorrect passcode entry).
Step 2: Enter 3 digits towards an incorrect fifth passcode, and press and hold the Home button to invoke Siri followed immediately by the 4th digit.
Step 3: The iPhone will be temp-locked for a minute, but not before Siri is invoked.
Step 4: Ask Siri what time it is.
Step 5: Tap the Clock icon to open the Clock app.
Step 6: Tap the + icon in the upper right-hand corner.
Step 7: Type something erroneous in the Choose a City field.
Step 8: Tap in the field to invoke the copy & paste menu, and tap Select All → Share…
Step 9: Tap the Message app icon in the Share Sheet.
Step 10: Type something erroneous in the To field and tap Return.
Step 11: Tap two times on the erroneous contact name in the To field to open the Info page.
Step 12: Tap Create New Contact.
Step 13: Tap Add Photo.
Step 14: Tap Choose Photo.
Step 15: You will now see all of the photos and albums on the device, which is still locked. You can now browse and view each photo individually.
Note: If you’d prefer to see Contacts, tap Add to Existing Contact in Step 12 instead of Create New Contact.
And that’s pretty much it. Watch the video above to see how it’s done. It only takes about a minute.
Again, my hope is to inform users of this flaw. It’s already out there in the wild anyway, but hopefully Apple will see that this is a legitimate security issue, and fix it accordingly.
Before anyone gets up in arms about this, remember that operating systems are inordinately complex. Every system has flaws, there are no exceptions to this, hence the need for security updates. Even rock solid systems that have been around for eons have flaws and occasional security-related patches.
It is possible to prevent this issue by disabling Siri access while your iPhone is locked. If you’re at all concerned about this, I recommend taking this measure until Apple patches this flaw. To disable Siri access from the Lock screen go to Settings → Touch ID & Passcode and turn off the Siri switch under the Allow Access When Locked heading.
The best thing to do is not to panic, and instead be aware of what may be possible. Keep your iPhone within eyesight, or turn off Siri access from the Lock screen, and wait for Apple to issue a fix.