Apple’s iOS 9.0, 9.1, and most recent 9.2.1 releases contain multiple connected passcode protection bypass vulnerabilities that affect both iPhone and iPad devices, researchers at Vulnerability Lab warn.
These vulnerabilities allow a local attacker who has physical access to the device to bypass the passcode protection mechanism of the Apple mobile iOS, the bug’s security advisory reveals. Apple iPhone 5, 5s, 6 and 6s, as well as iPad mini and iPad 1 and 2 are affected by the bug.
The passcode bypass poses a high security risk, with a CVSS (common vulnerability scoring system) count of 6.4.
By successfully exploiting the vulnerability, an attacker can gain device access and compromise sensitive user data, including address-books, photos, SMS, MMS, emails, phone app, mailbox, and phone settings, while also being able to access other default/installed mobile apps.
Vulnerability Lab researchers note that the issues are located in the “App Store,” “Buy more Tones,” and “Weather Channel” links of the Clock, Event Calendar, and Siri User Interface. By exploiting the vulnerabilities, a local attacker could request an internal browser link request to the App Store that bypasses the user’s passcode or fingerprint protection mechanism.
According to researchers, an attacker can take advantage of these issues in several ways to gain unauthorized access to the affected Apple mobile iOS devices. Siri, the Events Calendar, and the Clock app of the control panel on default settings can be exploited in these scenarios, the advisory says.
Via Siri, an attacker could place a request for a non-existing app, after which Siri responds with an App Store link to search for it, and a restricted browser window is opened, listing some apps. The attacker can then switch back to the internal home screen by interacting with the home button or with Siri again.
The link to bypass the controls is visible in the Siri interface only and is called “open App Store.” Apple iPhone 5 and 6(s) running iOS v9.0, v9.1, or v9.2.1 are vulnerable to this exploit, the advisory said.
An attacker could also gain access to the non-restricted Clock app by opening it via Siri or via Control Panel, which allows them to open the timer to the end timer or Radar module. The Clock app allows users to buy more sounds for alerts (via an included link) and the attacker can use it to open a restricted App Store browser window, after which they can switch back to the internal home screen as detailed above.
The link to bypass the controls is visible in the Alert – Tone (Wecker – Ton) and Timer (End/Radar), under the name of “Buy more Tones.” The vulnerability affects iPhone 5 and 6(s) with iOS v9.0, v9.1 & v9.2.1.
The Clock app, accessible via Control Panel or Siri, contains another similar vulnerability in the internal world clock module, which includes a link to the weather channel that redirects to the store.
The link to bypass the controls is accessible via the World Clock (Weather Channel) and the security flaw affects only iPad 2 devices running iOS v9.0, v9.1 & v9.2.1, because only these models display the web world map. The iPhone version does not contain the bug.
By calling the App & Event Calendar panel via Siri, an attacker can then open ‘Information of Weather’ (Informationen zum Wetter – Weather Channel LLC) link in the Tomorrow task and, if it is deactivated, a new browser window opens to the App Store. The attacker can then switch back to the internal home screen, thus bypassing the passcode control on Apple Pad2 with iOS v9.0, v9.1 & v9.2.1.
Vulnerability Lab’s Benjamin Kunz Mejri told SecurityWeek that Apple has confirmed all of these vulnerabilities, along with the fact that they can be exploited to compromise devices. However, the company did not provide other details on these issues and the researchers do not know when a patch will be released.
In the meantime, users can mitigate these issues by entirely disabling the Siri module on their devices and by disabling Events Calendar without passcode, along with the public Control Panel with the timer and world clock to disarm exploitation. Users should also activate the weather app, thus preventing the redirect when the module is disabled.
