If you own an iPhone 6s or 6s Plus and have upgraded to iOS 9.3.1, you might be in for some trouble. A flaw discovered in Apple's latest software version allows Siri to grant anyone access to your Photos and Contacts without a passcode. Here is how you can bypass your own passcode on iPhone 6s or 6s Plus to test this vulnerability, and then protect yourself using a few fixes.
iOS 9.3.1 iPhone 6s vulnerability
After Apple squashed a bricking bug that iOS 9.3 brought in, a new video has surfaced showing a way to get access to anyone's Photos or Contacts by trick-talking to Siri. While the bug has us worried, it definitely is one clever trick where anyone can get access to your data by asking Siri to search through Twitter for an email address, and then tapping directly into Contacts or Photos using 3D Touch.
The vulnerability only affects iPhone 6s and iPhone 6s Plus as it uses the 3D Touch, which is only offered on these two smartphones.
How does the iOS 9.3.1 passcode bypass work
You can test this exploit yourself by following a few nifty tricks and using your personal digital assistant.
- Lock your iPhone 6s or 6s Plus.
- Get Siri on, and say "Search Twitter."
- When Siri asks what to search for, say: “@gmail dot com” or any other popular email domain. You want to find a tweet containing a valid email address.
- Once the search results come up, tap on a tweet with a valid email address.
- Bring up the contextual menu by using 3D Touch on this email address.
- Tap Create New Contact > Add photo > Choose photo OR Add to Existing Contact.
- This will let you view Photos and Contacts on your device without having to enter a valid passcode.
Not up to try this yourself? You can watch this vulnerability in action in this video shared by videosdebarraquito.
Some fixes to this Siri iPhone 6s vulnerability
The quick fix? Disable your phone's 3D Touch and no one would be able to exploit this vulnerability to get access to your data. Another fix? Don't update to iOS 9.3.1, if you haven't already (yay for us super-slow people?).
On a serious note, you can disable Siri's access to photos. This will prevent any intruders from using the Add photo option to get into your albums.
- Go to Settings > Privacy > Photos.
- Toggle Siri's switch off.
How about protecting your contacts? A simple solution is to disable access to Siri from the Lockscreen, which actually will render this vulnerability useless.
- Go to Settings > Touch ID & Passcode.
- Under Allow access when locked, disable Siri.
Apple is yet to give any official comment on this newly discovered security flaw in iOS 9.3.1. I can see my own iPhone 6s now giving a notification to update to iOS 9.3 instead of iOS 9.3.1 after this bug was reported a few hours back. We will update this post if there is any official word available.
[Update]: Vulnerability is now fixed
Apple has fixed the passcode bypass vulnerability and another Siri-related bug. Now, when you try to search Twitter via Siri, you will receive a response saying, "You’ll need to unlock your iPhone first." Along with this, Apple has also fixed another bug that let you activate Night Shift Mode using Siri while Low Power Mode was enabled. Siri now responds to such a request with a message saying, "In order to turn on Night Shift, I’ll have to turn off Low Power Mode. Shall I continue?"