Tuesday, April 5, 2016

The Curious Case of the iOS 9.3.1 "Hey, Siri" Contacts, Photos Vulnerability


Late last night, my father of all people, tipped me off to a story making the rounds on the Internet about a security vulnerability with an iPhone 6s or iPhone 6s Plus running iOS 9.3.1.  The reported vulnerability allowed a malicious user to by-pass the iPhone's lock screen using the hands free "Hey, Siri" command.  When successfully executed, an attacker would be able to see all of the contacts and photos on the device.

Quartz has an article up on their site that starts off with:
"You might want to wait before downloading the latest version of Apple’s operating system for iPhones.

If you own an iPhone 6S or 6S Plus and have upgraded to iOS 9.3.1, other people can access your contacts and photos without entering a passcode to unlock the phone. It’s an elaborate and finicky but nonetheless startling loophole."
With my iPhone 6s Plus unlocked and running iOS 9.3.1, the "finicky" exploit worked.  However, if I repeated the process with my iPhone locked, the attack was stopped dead in it's tracks.

This morning I tried to reproduce the attack, I received a notice from Siri that I needed to unlock my iPhone first.  I made this short video that was posted to YouTube this afternoon.



Oddly, the security settings that AppleInsider.com reported as needing to be turned off to prevent the attack were still enabled on my iPhone.  Curious.

So what happened?

This afternoon, Fortune.com has an article up that the Siri-related problem was corrected by Apple from Apple HQ.
"While initial reports and claims from the bug’s discoverers said that the issue was an iOS 9 glitch, it turns out it was a Siri problem. On Tuesday morning, after seeing the rash of reports on the issue, Apple issued an update to Siri fixing the problem. Therefore, users who were previously subject to the issue are now safe and do not require a software update to get the fix."
Security and privacy conscious iPhone 6s and iPhone 6s Plus users can go back to their day without further worry.

Post a Comment