PBI NetWork
Active Member
iOS 7 Bug Lets Anyone Bypass iPhone's Lockscreen To Hijack Photos, Email, Or Twitter
Andy Greenberg
Forbes Staff
Forget the debate around the security or insecurity of the iPhone 5ss fingerprint reader. The latest version of the iPhones operating system currently offers a gaping hole in its old-fashioned passcode lockscreen.
Video here:
[video=youtube;tTewm0V_5ts]http://www.youtube.com/watch?v=tTewm0V_5ts&feature=player_embedded[/video]
Jose Rodriguez, a 36-year-old soldier living in Spains Canary Islands, has found a security vulnerability in iOS 7 that allows anyone to bypass its lockscreen in seconds to access photos, email, Twitter, and more. He shared the technique with me, along with the video above.
As the video shows, anyone can exploit the bug by swiping up on the lockscreen to access the phones control center, and then opening the alarm clock. Holding the phones sleep button brings up the option to power it off with a swipe. Instead, the intruder can tap cancel and double click the home button to enter the phones multitasking screen. That offers access to its camera and stored photos, along with the ability to share those photos from the users accounts, essentially allowing anyone who grabs the phone to hijack the users email, Twitter, Facebook or Flickr account.
I tested the technique on an iPhone 5 running iOS 7, and it worked. Rodriguezs video shows it working on an iPad, too. Its not yet clear if the same exploit can bypass the lockscreen of an iPhone 5s or 5c, but Rodriguez tells me he believes it will. Ive reached out to Apple for comment and Ill update this post if I hear from the company. Update: A spokesperson from Apple tells me that the company takes security very seriously and were aware of this issue. Well deliver a fix in a future software update.
Rodriguez has a track record of finding lockscreen bypass bugs in iOS, many of which he says he dug up while killing time in his old job as a driver for government officials. I had a lot of time to look at the scenery, break the phone or write poetry while waiting for my boss, and I dont write poetry and already knew the landscape by heart, he tells me via instant message and Google translate. So he spent hours trying everything that goes through my headI submit my iPhone to cruel methods of torture.
Rodriguez found a trick to bypass the lockscreen of iOS 6.1.3 in March, and then another one in iOS 7 beta. Though that beta bug was fixed in later versions of iOS 7, Rodriguez was able to find a new one within an hour of downloading the latest iPhone operating system by adapting tricks that worked on iOS 5 and 6. (He also tells me that this will be his last hunting trip for iPhone lockscreen bugs, as he has a new office job that demands more of his time.)
The latest version of iOS patches 80 security vulnerabilities, according to a post on Apples security mailing list. Clearly the companys security team also missed a big one.
Update: A reader points out that anyone hoping to avoid this vulnerability until Apple issues a fix can prevent control center from appearing on their lockscreen by accessing settings, then control center. Some users are also reporting the trick isnt working on their phones and tablets, though it may just take a little finesse to figure out the timing.
iOS 7 Bug Lets Anyone Bypass iPhone's Lockscreen To Hijack Photos, Email, Or Twitter - Forbes
Andy Greenberg
Forbes Staff
Forget the debate around the security or insecurity of the iPhone 5ss fingerprint reader. The latest version of the iPhones operating system currently offers a gaping hole in its old-fashioned passcode lockscreen.
Video here:
[video=youtube;tTewm0V_5ts]http://www.youtube.com/watch?v=tTewm0V_5ts&feature=player_embedded[/video]
Jose Rodriguez, a 36-year-old soldier living in Spains Canary Islands, has found a security vulnerability in iOS 7 that allows anyone to bypass its lockscreen in seconds to access photos, email, Twitter, and more. He shared the technique with me, along with the video above.
As the video shows, anyone can exploit the bug by swiping up on the lockscreen to access the phones control center, and then opening the alarm clock. Holding the phones sleep button brings up the option to power it off with a swipe. Instead, the intruder can tap cancel and double click the home button to enter the phones multitasking screen. That offers access to its camera and stored photos, along with the ability to share those photos from the users accounts, essentially allowing anyone who grabs the phone to hijack the users email, Twitter, Facebook or Flickr account.
I tested the technique on an iPhone 5 running iOS 7, and it worked. Rodriguezs video shows it working on an iPad, too. Its not yet clear if the same exploit can bypass the lockscreen of an iPhone 5s or 5c, but Rodriguez tells me he believes it will. Ive reached out to Apple for comment and Ill update this post if I hear from the company. Update: A spokesperson from Apple tells me that the company takes security very seriously and were aware of this issue. Well deliver a fix in a future software update.
Rodriguez has a track record of finding lockscreen bypass bugs in iOS, many of which he says he dug up while killing time in his old job as a driver for government officials. I had a lot of time to look at the scenery, break the phone or write poetry while waiting for my boss, and I dont write poetry and already knew the landscape by heart, he tells me via instant message and Google translate. So he spent hours trying everything that goes through my headI submit my iPhone to cruel methods of torture.
Rodriguez found a trick to bypass the lockscreen of iOS 6.1.3 in March, and then another one in iOS 7 beta. Though that beta bug was fixed in later versions of iOS 7, Rodriguez was able to find a new one within an hour of downloading the latest iPhone operating system by adapting tricks that worked on iOS 5 and 6. (He also tells me that this will be his last hunting trip for iPhone lockscreen bugs, as he has a new office job that demands more of his time.)
The latest version of iOS patches 80 security vulnerabilities, according to a post on Apples security mailing list. Clearly the companys security team also missed a big one.
Update: A reader points out that anyone hoping to avoid this vulnerability until Apple issues a fix can prevent control center from appearing on their lockscreen by accessing settings, then control center. Some users are also reporting the trick isnt working on their phones and tablets, though it may just take a little finesse to figure out the timing.
iOS 7 Bug Lets Anyone Bypass iPhone's Lockscreen To Hijack Photos, Email, Or Twitter - Forbes
Last edited: