Thursday, 19 September 2013

iOS 7 Lock Screen Vulnerability Gives Access to Photos, Email

There appears to be a lock screen vulnerability in iOS 7 that allows access to a device’s photos, email, and social networking accounts. According to Jose Rodriguez, who provided a video of the bug to Forbes, a simple set of gestures gives unwarranted access to a device running iOS 7.
The exploit can be initiated by swiping upwards on the device's lock screen to access the Control Center and open the Clock app. Once the clock app is open, holding the phone's sleep button will cause the "Slide to Power Off" option to appear. Tapping on cancel at this juncture and then double clicking on the home button will open the phone's multitasking screen, providing access to the camera and the photos on the device. The key to the trick, however, is to access the camera app from the lock screen first, causing it to appear in the recently used apps list.

Because the photos from the camera app can be shared via Flickr, Twitter, Facebook, and email, an intruder can also gain access to those apps using the sharing tools.


I tested the technique on an iPhone 5 running iOS 7, and it worked. Rodriguez’s video shows it working on an iPad, too. It’s not yet clear if the same exploit can bypass the lockscreen of an iPhone 5s or 5c, but Rodriguez tells me he believes it will. I’ve reached out to Apple for comment and I’ll update this post if I hear from the company.
Apple has been plagued by lock screen vulnerabilities multiple times over the course of the year, with a bug appearing in iOS 6.1 that allowed lock screen access to the phone when the emergency call function was manipulated.

The current iOS 7 vulnerability can be avoided by preventing the Control Center from appearing on the lock screen. The setting can be turned on by opening the Settings app, selecting "Access on Lock Screen" and toggling it off.

Update: Apple has told AllThingsD that it is working on a fix. "Apple takes user security very seriously," Apple spokeswoman Trudy Muller told AllThingsD. "We

No comments:

Post a Comment