How To

The latest iPhone lock screen bypass, and how to stop it

Posted on May 12th, 2014 by

iOS 7 has brought some cool new features to Apple's mobile operating system, but it has also introduced its fair share of embarrassing and unwelcome security holes.

Some of the more high profile flaws have involved methods to bypass the iPhone's lock screen. Astonishingly, the first of these appeared just one day after the initial release of iOS 7, and there have too many others since.

Now, it appears that an iPhone lock screen flaw has been found in iOS 7.1.1, the latest version of the operating system, which can allow someone to reach the Contacts of an iPhone without unlocking the device.

Sherif Hashim, who describes himself as an Egyptian neurosurgeon and part-time security researcher, discovered the security loophole and created a video demonstrating how it could be exploited.

In his video, Hashim initially tries (and fails) to access the targeted iPhone's contact list by giving Siri a command while the device is locked.

However, when he simply gives Siri a "Call" command instead, and Siri asks who he would like to call, it is just a couple of simple steps to gain access to the phone's Contact list, where phone numbers can be stolen and even unauthorised calls made.

Of course, being an iPhone lock screen bypass it does require an unauthorised party to have physical access to your iPhone. This isn't a security hole that can be exploited remotely.

But many people are in the habit of leaving their phones lying around, perhaps in the office, college or at home, without proper consideration that someone might attempt, while backs are turned, to meddle with it with either mischief or malice in mind.

It turns out that anyone concerned about this latest lock screen bypass can prevent it from happening on their iPhone easily enough.

Simply do the following to protect your iPhone from this type of attack:

  • Navigate to Settings > Passcode. (You should have to re-enter your passcode at this point. You *do* have a passcode, don’t you?)
  • Under the Allow Access When Locked section, tap the Siri On/Off slider to turn it off.
  • Now no-one, including you, can access Siri while your phone is locked.

iPhone setting

Of course, this solution isn't going to be satisfactory for everyone. There are plenty of people who probably *want* to be able to give commands to Siri while their device is locked.

For instance, perhaps they are making calls while driving, or have a sleeping baby in their arms, which makes it tricky for them to enter a passcode.

I accept, that could be a nuisance, but isn't it time that Apple understood that when a phone is "locked," users expect it to be really, properly *locked*?

We'll have to wait and see if Apple will include a fix for this latest lock screen bypass in a future version of iOS. In the meantime, if you're worried, disable Siri on the lock screen as described above. And let's hope that Apple also puts a little more effort into testing this particular part of its software, so it doesn't suffer from any more similar security flaws in future.

About Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security. Follow him on Twitter at @gcluley. View all posts by Graham Cluley →
  • brijazz012

    Perhaps more dangerous: using Siri to do a web search, even while the phone is locked, gives the user access to Safari…. and all of the saved logins therein. The solution as I see it would be for Apple to have the keychain remain locked while the phone is locked, and not grant access to logins simply because Safari is running.

  • Dreadrik

    “Of course, this solution isn’t going to be satisfactory for everyone.
    There are plenty of people who probably *want* to be able to give
    commands to Siri while their device is locked.”

    At the same time, how can you expect Siri to do stuff for you if you don’t allow her access to some parts while the phone is locked?

Join Our Awesome Email Newsletter

Enter your email address below to start receiving the best Mac Security Updates.

{"url":"\/marketo\/json\/add-to-newsletter","data":"list_name=Blog Roadblock"}