This is not reproducible. I tried it on several iPhones. I believe the user in the video is unlocking the phone via touch ID, hence “bypassing” the lock screen. In my tests, Siri responds with “You must unlock your iPhone first”.
> On 03-07-2016, at 3:52 AM, Vulnerability Lab <[email protected]> > wrote: > > Document Title: > =============== > Apple iOS v9.2.1 - Multiple PassCode Bypass Vulnerabilities (App Store Link, > Buy Tones Link & Weather Channel Link) > > > References (Source): > ==================== > http://www.vulnerability-lab.com/get_content.php?id=1778 > > Video: http://www.vulnerability-lab.com/get_content.php?id=1779 > > > > Release Date: > ============= > 2016-03-07 > > > Vulnerability Laboratory ID (VL-ID): > ==================================== > 1778 > > > Common Vulnerability Scoring System: > ==================================== > 6.4 > > > Product & Service Introduction: > =============================== > iOS (previously iPhone OS) is a mobile operating system developed and > distributed by Apple Inc. Originally released in 2007 for the > iPhone and iPod Touch, it has been extended to support other Apple devices > such as the iPad and Apple TV. Unlike Microsoft`s Windows > Phone (Windows CE) and Google`s Android, Apple does not license iOS for > installation on non-Apple hardware. As of September 12, 2012, > Apple`s App Store contained more than 700,000 iOS applications, which have > collectively been downloaded more than 30 billion times. > It had a 14.9% share of the smartphone mobile operating system units shipped > in the third quarter of 2012, behind only Google`s Android. > > In June 2012, it accounted for 65% of mobile web data consumption (including > use on both the iPod Touch and the iPad). At the half of > 2012, there were 410 million devices activated. According to the special > media event held by Apple on September 12, 2012, 400 million > devices have beensold through June 2012. > > ( Copy of the Homepage: http://en.wikipedia.org/wiki/IOS ) > > > Apple Inc. is an American multinational technology company headquartered in > Cupertino, California, that designs, develops, and sells > consumer electronics, computer software, and online services. Its hardware > products include the iPhone smartphone, the iPad tablet > computer, the Mac personal computer, the iPod portable media player, and the > Apple Watch smartwatch. Apple's consumer software includes > the OS X and iOS operating systems, the iTunes media player, the Safari web > browser, and the iLife and iWork creativity and productivity > suites. Its online services include the iTunes Store, the iOS App Store and > Mac App Store, and iCloud. > > (Copy of the Homepage: https://en.wikipedia.org/wiki/Apple_Inc. ) > > > Abstract Advisory Information: > ============================== > The vulnerability laboratory research team discovered multiple connected > passcode protection bypass vulnerabilities in the iOS v9.0, v9.1, v9.2.1 for > Apple iPhone (5,5s,6 & 6s) and the iPad (mini,1 & 2). > > > Vulnerability Disclosure Timeline: > ================================== > 2016-01-03: Researcher Notification & Coordination (Benjamin Kunz Mejri - > Evolution Security GmbH) > 2016-01-04: Vendor Notification (Apple Product Security Team) > 2016-**-**: Vendor Response/Feedback (Apple Product Security Team) > 2016-**-**: Vendor Fix/Patch (Apple Developer Team) > 2016-**-**: Security Acknowledgements (Apple Product Security Team) > 2016-03-07: Public Disclosure (Vulnerability Laboratory) > > > Discovery Status: > ================= > Published > > > Affected Product(s): > ==================== > Apple > Product: iOS - (Mobile Operating System) 9.1, 9.2 & 9.2.1 > > > Exploitation Technique: > ======================= > Local > > > Severity Level: > =============== > High > > > Technical Details & Description: > ================================ > An auth passcode bypass vulnerability has been discovered in the iOS v9.0, > v9.1, v9.2.1 for Apple iPhone (5,5s,6 & 6s) and the iPad (mini,1 & 2). > The vulnerability typ allows an local attacker with physical device access to > bypass the passcode protection mechanism of the Apple mobile iOS devices. > > The vulnerabilities are located in the 'Appstore', 'Buy more Tones' or > 'Weather Channel' links of the Clock, Event Calender & Siri User Interface. > Local attackers can use siri, the event calender or the available clock > module for an internal browser link request to the appstore that is able to > bypass the customers passcode or fingerprint protection mechanism. The > attacker can exploit the issue on several ways with siri, the events calender > or the clock app of the control panel on default settings to gain > unauthorized access to the affected Apple mobile iOS devices. > > 1.1 > In the first scenario the attacker requests for example via siri an non > existing app, after that siri answers with an appstore link to search for it. > Then the attacker opens the link and a restricted browser window is opened > and listing some apps. At that point it is possible to unauthorized switch > back to the internal home screen by interaction with the home button or with > siri again. The link to bypass the controls is visible in the siri > interface only and is called "open App Store". The vulnerability is > exploitable in the Apple iPhone 5 & 6(s) with iOS v9.0, v9.1 & v9.2.1 > > 1.2 > In the second scenario the attacker is using the control panel to gain access > to the non restricted clock app. The local attacker opens the app via > siri or via panel and opens then the timer to the end timer or Radar module. > The developers of the app grant apple customers to buy more sounds for > alerts and implemented a link. By pushing the link a restricted appstore > browser window opens. At that point it is possible to unauthorized switch > back to the internal home screen by interaction with the home button or with > siri again. The link to bypass the controls becomes visible in the > Alert - Tone (Wecker - Ton) & Timer (End/Radar) and is called "Buy more > Tones". The vulnerability is exploitable in the Apple iPhone 5 & 6(s) > with iOS v9.0, v9.1 & v9.2.1. > > 1.3 > In the third scenario the attacker opens via panel or by a siri request the > clock app. After that he opens the internal world clock module. In the > buttom right is a link to the weather channel that redirects to the store as > far as its deactivated. By pushing the link a restricted appstore > browser window opens. At that point it is possible to unauthorized switch > back to the internal home screen by interaction with the home button or > with siri again. The link to bypass the controls becomes visible in the World > Clock (Weather Channel) and is an image as link. Thus special case is > limited to the iPad because only in that models use to display the web world > map. In the iPhone version the bug does not exist because the map is > not displayed because of using a limited template. The vulnerability is > exploitable in the Apple iPad2 with iOS v9.0, v9.1 & v9.2.1. > > 1.4 > In the fourth scenario the attacker opens via siri the 'App & Event Calender' > panel. After that the attacker opens under the Tomorrow task the > 'Information of Weather' (Informationen zum Wetter - Weather Channel LLC) > link on the left bottom. As far as the weather app is deactivated on the > Apple iOS device, a new browser window opens to the appstore. At that point > it is possible to unauthorized switch back to the internal home screen > by interaction with the home button or with siri again. The link to bypass > the controls becomes visible in the App & Events Calender panel. > The vulnerability is exploitable in the Apple Pad2 with iOS v9.0, v9.1 & > v9.2.1. > > The security risk of the passcode bypass vulnerability is estimated as high > with a cvss (common vulnerability scoring system) count of 6.4. > Exploitation of the passcode protection mechanism bypass vulnerability > requires no privileged ios device user account or low user interaction. > Physical apple device access is required for successful exploitation. > Successful exploitation of the vulnerability results in unauthorized > device access, mobile apple device compromise and leak of sensitive device > data like the address-book, photos, sms, mms, emails, phone app, > mailbox, phone settings or access to other default/installed mobile apps. > > > Vulnerable Module(s): > [+] PassCode (Protection Mechanism) > > > Affected Device(s): > [+] iPhone (Models: 5, 5s, 6 & 6s) > [+] iPad (Models: mini, 1 & 2) > > Affected OS Version(s): > [+] iOS v9.0, v9.1 & v9.2.1 > > > Proof of Concept (PoC): > ======================= > The passcode protection mechanism bypass vulnerabilities can be exploited by > local attackers with physical device access and without privileged or > restricted device user account. > For Security demonstration or to reproduce the vulnerability follow the > provided information and steps below to continue. > > > 1.1 > Manual steps to reproduce the vulnerability ... (Siri Interface - App Store > Link) iPhone (Models: 5, 5s, 6 & 6s) > 1. Take the iOS device and lock the passcode to the front > 2. Open Siri by activation via Home button (push 2 seconds) > 3. Ask Siri to open a non existing App > Note: "Open App Digital (Öffne App Digital) > 4. Siri responds to the non existing app and asks to search in the appstore > 5. Now, and "open App store" button becomes visible to push (do it!) > 6. A new restricted browser window opens with the appstore buttom menu links > 7. Click to updates and open the last app or push twice the home button to > let the task slide preview appear > 8. Now choose the active front screen task > 9. Successful reproduce of the passcode protection bypass vulnerability! > > > 1.2 > Manual steps to reproduce the vulnerability ... (Clock & Timer - Buy more > Tones Link) iPhone (Models: 5, 5s, 6 & 6s) > 1. Take the iOS device and lock the passcode to the front > 2. Open Siri by activation via Home button (push 2 seconds) > Note: "Open World Clock" (Öffne App Weltuhr) > 3. Push the 'Timer' module button on the buttom > 4. Now, push the Radius or End Timer Button in the middle of the screen > Note: A listing opens with the sounds collection and on top is a web link > commercial > 5. Push the button and a new restricted browser window opens with the > appstore buttom menu links > 6. Click to updates and open the last app or push twice the home button to > let the task slide preview appear > 7. Now choose the active front screen task > 8. Successful reproduce of the passcode protection bypass vulnerability! > Note: The vulnerability can also be exploited by pushing the same link in the > Alerts Timer (Wecker) next to adding a new one. > > > 1.3 > Manual steps to reproduce the vulnerability ... (Clock World - Weather > Channel Image Link) iPad (Models: 1 & 2) > 1. Take the iOS device and lock the passcode to the front > 2. Open Siri by activation via Home button (push 2 seconds) > Note: "Open App Clock" (Öffne App Uhr) > 3. Switch in the buttom module menu to world clock > Note: on the buttom right is an image of the weather channel llc network > 4. Push the image of the weather channel llc company in the world map picture > Note: Weather app needs to be deactivated by default > 5. After pushing the button and a new restricted browser window opens with > the appstore buttom menu links > 6. Click to updates and open the last app or push twice the home button to > let the task slide preview appear > 7. Now choose the active front screen task > 8. Successful reproduce of the passcode protection bypass vulnerability! > Note: The issue is limited to the iPad 1 & 2 because of the extended map > template! > > > 1.4 > Manual steps to reproduce the vulnerability ... (Events Calender App - > Weather Channel LLC Link) iPad (Models: 1 & 2) & iPhone (Models: 5, 5s, 6 & > 6s) > 1. Take the iOS device and lock the passcode to the front > 2. Open Siri by activation via Home button (push 2 seconds) > Note: "Open Events/Calender App" (Öffne Events/Kalender App) > 3.Now push on the buttom of the screen next to the Tomorrow(Morgen) module > the 'Information of Weather Channel' link > Note: Weather app needs to be deactivated by default > 4.After pushing the button and a new restricted browser window opens with the > appstore buttom menu links > 5. Click to updates and open the last app or push twice the home button to > let the task slide preview appear > 6. Now choose the active front screen task > 7. Successful reproduce of the passcode protection bypass vulnerability! > > > Video Demonstration: In the attached video demonstration we show how to > bypass the passcode of the iphone 6s via the siri App Store- & timer Buy more > Tones link. > In the video we activated the passcode and setup to activate the control > center by default to the locked mobile front screen. Siri was activated as > well by default. > > > Solution - Fix & Patch: > ======================= > The vulnerabilities can be temporarily patched by the end user by hardening > of the device settings. Deactivate in the Settings menu the Siri module > permanently. > Deactivate also the Events Calender without passcode to disable the push > function of the Weather Channel LLC link. Deactivate in the next step the > public control > panel with the timer and world clock to disarm exploitation. Aktivate the > weather app settings to prevent the redirect when the module is disabled by > default in > the events calender. Finally apple needs to issue a patch as workaround for > the issue but since this happens a temp solution has bin published as well. > > > Security Risk: > ============== > The security risk of the passcode protection mechanism bypass vulnerabilities > in the apple ipad and iphone mobile devices are estimated as high. (CVSS 6.4) > > > Credits & Authors: > ================== > Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri > ([email protected]) > [http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.] > > > Disclaimer & Information: > ========================= > The information provided in this advisory is provided as it is without any > warranty. Vulnerability Lab disclaims all warranties, either expressed or > implied, > including the warranties of merchantability and capability for a particular > purpose. Vulnerability-Lab or its suppliers are not liable in any case of > damage, > including direct, indirect, incidental, consequential loss of business > profits or special damages, even if Vulnerability-Lab or its suppliers have > been advised > of the possibility of such damages. Some states do not allow the exclusion or > limitation of liability for consequential or incidental damages so the > foregoing > limitation may not apply. We do not approve or encourage anybody to break any > licenses, policies, deface websites, hack into databases or trade with stolen > data. > > Domains: www.vulnerability-lab.com - www.vuln-lab.com > - www.evolution-sec.com > Contact: [email protected] - > [email protected] - > [email protected] > Section: magazine.vulnerability-db.com - > vulnerability-lab.com/contact.php - > evolution-sec.com/contact > Social: twitter.com/vuln_lab - > facebook.com/VulnerabilityLab - > youtube.com/user/vulnerability0lab > Feeds: vulnerability-lab.com/rss/rss.php - > vulnerability-lab.com/rss/rss_upcoming.php - > vulnerability-lab.com/rss/rss_news.php > Programs: vulnerability-lab.com/submit.php - > vulnerability-lab.com/list-of-bug-bounty-programs.php - > vulnerability-lab.com/register.php > > Any modified copy or reproduction, including partially usages, of this file > requires authorization from Vulnerability Laboratory. Permission to > electronically > redistribute this alert in its unmodified form is granted. All other rights, > including the use of other media, are reserved by Vulnerability-Lab Research > Team or > its suppliers. All pictures, texts, advisories, source code, videos and other > information on this website is trademark of vulnerability-lab team & the > specific > authors or managers. To record, list, modify, use or edit our material > contact (admin@ or [email protected]) to get a ask permission. > > Copyright © 2016 | Vulnerability Laboratory > - [Evolution Security GmbH]™ > > -- > VULNERABILITY LABORATORY - RESEARCH TEAM > SERVICE: www.vulnerability-lab.com > CONTACT: [email protected] > -- Edsel Adap [email protected]
