Connect with us

Hi, what are you looking for?


Mobile & Wireless

Multiple Passcode Bypass Vulnerabilities Discovered in iOS 9

Apple’s iOS 9.0, 9.1, and most recent 9.2.1 releases contain multiple connected passcode protection bypass vulnerabilities that affect both iPhone and iPad devices, researchers at Vulnerability Lab warn.

Apple’s iOS 9.0, 9.1, and most recent 9.2.1 releases contain multiple connected passcode protection bypass vulnerabilities that affect both iPhone and iPad devices, researchers at Vulnerability Lab warn.

These vulnerabilities allow a local attacker who has physical access to the device to bypass the passcode protection mechanism of the Apple mobile iOS, the bug’s security advisory reveals. Apple iPhone 5, 5s, 6 and 6s, as well as iPad mini and iPad 1 and 2 are affected by the bug.

The passcode bypass poses a high security risk, with a CVSS (common vulnerability scoring system) count of 6.4.

By successfully exploiting the vulnerability, an attacker can gain device access and compromise sensitive user data, including address-books, photos, SMS, MMS, emails, phone app, mailbox, and phone settings, while also being able to access other default/installed mobile apps.

Vulnerability Lab researchers note that the issues are located in the “App Store,” “Buy more Tones,” and “Weather Channel” links of the Clock, Event Calendar, and Siri User Interface. By exploiting the vulnerabilities, a local attacker could request an internal browser link request to the App Store that bypasses the user’s passcode or fingerprint protection mechanism.

According to researchers, an attacker can take advantage of these issues in several ways to gain unauthorized access to the affected Apple mobile iOS devices. Siri, the Events Calendar, and the Clock app of the control panel on default settings can be exploited in these scenarios, the advisory says.

Via Siri, an attacker could place a request for a non-existing app, after which Siri responds with an App Store link to search for it, and a restricted browser window is opened, listing some apps. The attacker can then switch back to the internal home screen by interacting with the home button or with Siri again.

The link to bypass the controls is visible in the Siri interface only and is called “open App Store.” Apple iPhone 5 and 6(s) running iOS v9.0, v9.1, or v9.2.1 are vulnerable to this exploit, the advisory said.

Advertisement. Scroll to continue reading.

An attacker could also gain access to the non-restricted Clock app by opening it via Siri or via Control Panel, which allows them to open the timer to the end timer or Radar module. The Clock app allows users to buy more sounds for alerts (via an included link) and the attacker can use it to open a restricted App Store browser window, after which they can switch back to the internal home screen as detailed above.

The link to bypass the controls is visible in the Alert – Tone (Wecker – Ton) and Timer (End/Radar), under the name of “Buy more Tones.” The vulnerability affects iPhone 5 and 6(s) with iOS v9.0, v9.1 & v9.2.1.

The Clock app, accessible via Control Panel or Siri, contains another similar vulnerability in the internal world clock module, which includes a link to the weather channel that redirects to the store. 

The link to bypass the controls is accessible via the World Clock (Weather Channel) and the security flaw affects only iPad 2 devices running iOS v9.0, v9.1 & v9.2.1, because only these models display the web world map. The iPhone version does not contain the bug.

By calling the App & Event Calendar panel via Siri, an attacker can then open ‘Information of Weather’ (Informationen zum Wetter – Weather Channel LLC) link in the Tomorrow task and, if it is deactivated, a new browser window opens to the App Store. The attacker can then switch back to the internal home screen, thus bypassing the passcode control on Apple Pad2 with iOS v9.0, v9.1 & v9.2.1.

Vulnerability Lab’s Benjamin Kunz Mejri told SecurityWeek that Apple has confirmed all of these vulnerabilities, along with the fact that they can be exploited to compromise devices. However, the company did not provide other details on these issues and the researchers do not know when a patch will be released.

In the meantime, users can mitigate these issues by entirely disabling the Siri module on their devices and by disabling Events Calendar without passcode, along with the public Control Panel with the timer and world clock to disarm exploitation. Users should also activate the weather app, thus preventing the redirect when the module is disabled.

Written By

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Kim Larsen is new Chief Information Security Officer at Keepit

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

More People On The Move

Expert Insights

Related Content

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.