Thursday, September 19, 2013

iOS 7 lockscreen bug gives access to photos, social sharing

Does the iPhone 5S' fingerprint reader make it the most secure mobile device around? That debate is still ongoing, but one thing is for sure: iOS 7 doesn't help, as a bug shown to Forbes on Thursday allows users to bypass the lockscreen, and access email, photos, and more.

Jose Rodriguez is a 36-year-old soldier living in Spain’s Canary Islands, and he has a history of finding issues with iOS' lockscreen code. In March, Rodriguez found a way to bypass the iOS 6.1.3 lockscreen, and he found another one in a beta of iOS 7.

That bug was fixed in later versions of the iOS 7 beta, but Rodriguez found a new bug within an hour of downloading the newly released version of iOS 7 on Wednesday, when it was released to the public. To do so, he simply adapted methods he used previously on iOS 5 and 6.

As with many of these iOS lockscreen bugs, timing is key. An embedded video shows the method, which sounds simple enough. To exploit the security hole, a user swipes up on the lockscreen to access the platform's new "control center.” Then, the user opens the alarm clock.

Next, the user holds down the iPhone’s sleep / power button. which brings up the option to power it off. Instead, the intruder can tap “Cancel” and quickly double-click the home button to enter the phone’s multitasking screen. From there, the intruder can access the camera and stored photos.

In addition, anyone hacking into an iOS device in this way then has the ability to share those photos from the device owner’s accounts, essentially giving them the capability of hijacking the owner's email, Twitter, Facebook or Flickr account.

Those who want to avoid this vulnerability until Apple fixes it can simply shut down the Control Center. This can be done by going to “Settings,” then “Control Center.”

There is a lot of timing involved, so if you can't make the bug happen, don't think it's faux. We had trouble getting it to happen until we got the timing down.

No comments: