4 New ways to bypass passcode lock screen on iPhones, iPads running iOS 9 

Details:

It’s important to note that an attacker would need physical access to the device to pull this off; that being said, the advisory says the hacks were successfully executed on iPhone models 5, 5s, 6 and 6s as well as iPad models Mini, 1 and 2 running iOS 9 versions 9.0, 9.1 and 9.2.1. Vulnerability Lab posted a proof-of-concept video showing multiple new ways for a local attacker to bypass the passcode in iOS 9 and gain unauthorized access to the device.

4 Ways of bypass:

1.   Pushing the Home button to activate Siri and asking her to open a non-existing app. Siri responds that you have no such app, but she “can help you look for it on the App Store.” Tapping on the App Store button opens a “a new restricted browser window.” Either select update and open the last app, or “push twice on the Home button” for the task slide preview to appear. Swipe over to the active front screen task and that bypassed the passcode lock screen on iPhone models 5, 5s, 6 and 6s.

2.   First pushing on the Home button for two seconds to activate Siri and then asking to open the clock app. Switch to world clock in the bottom module and tap the image for the Weather Channel LLC network; if the weather app is deactivated by default, then a new restricted browser window will open which has App Store menu links. Click update and open the last app, or tap twice on the Home button to get to task slide preview. Swipe over to the active front screen and voila – passcode lock screen bypassed again.

3.   The third attack scenario works on iPad model 1 and 2, but basically follows the same steps as scenario two to bypass the passcode and gain unauthorized access to the device.

4.   Forcing Siri to open by pushing the Home button and asking her to “open Events/Calendar app.” An attacker could tap the “Information of Weather Channel” link which is found at the bottom of the screen next to the “Tomorrow module.” If the weather app is deactivated by default, then a new restricted browser window opens with App Store links. Tap update and open the last app, or push twice on the Home button to bring up the task slide preview. Swipe over to select the active front screen and the passcode on the lock screen is bypassed.

Probable Recommendations:

1.    Deactivate in the Settings menu the Siri module permanently.

2.    Deactivate also the Events Calendar without passcode to disable the push function of the Weather Channel LLC link.

3.    Deactivate in the next step the public control panel with the timer and world clock to disarm exploitation.

4.     Activate the weather app settings to prevent the redirect when the module is disabled by default in the events calendar.mapping value.