OrbitFlash

Q: Security Flaw with IOS 9.3.5

In IOS 9.3.5, the most recent IOS update, security is supposed to be fixed. There is a flaw where you can ask siri "What time is it?" from the lock screen. Siri will show you the clock, and you click on that. Once you have clicked that, just click the "+" in the right hand corner, put in some random letters, click "Cancel," then go to "StopWatch" then click the home button, and you get in the home screen even though you do not know the password.

 

Hope this bug can get fixed soon!
~Flash

Posted on Sep 1, 2016 9:48 PM

Close

Q: Security Flaw with IOS 9.3.5

  • All replies
  • Helpful answers

  • by turingtest2,

    turingtest2 turingtest2 Sep 2, 2016 8:03 PM in response to OrbitFlash
    Level 10 (84,849 points)
    iTunes
    Sep 2, 2016 8:03 PM in response to OrbitFlash

    Which digit did you use to press the home button at the end? Testing here the device only unlocks with a previously registered fingerprint? The intermediate steps of random typing and selecting the stopwatch don't change that, however it is quite easy to use your normal finger for the home button press at the end even if you deliberately used an invalid one to invoke Siri at the beginning.

     

    tt2

  • by OrbitFlash,

    OrbitFlash OrbitFlash Sep 3, 2016 1:40 PM in response to turingtest2
    Level 1 (4 points)
    iPod
    Sep 3, 2016 1:40 PM in response to turingtest2

    Hey there! Thank you for the response!

     

    I was using an IPhone 5s at the time. The IPhone did not have a fingerprint available. I am sure it did not have anything to do with the finger print. I switched off with the fingerprints, I started off with using my thumb for siri, then I switched to my index finger when adding a new clock, switching to the stopwatch, and clicking the home button.

     

    Thanks again!
    ~Flash

  • by turingtest2,Helpful

    turingtest2 turingtest2 Sep 5, 2016 10:41 AM in response to OrbitFlash
    Level 10 (84,849 points)
    iTunes
    Sep 5, 2016 10:41 AM in response to OrbitFlash

    You're welcome.

     

    As given I cannot reproduce the problem on my iPhone 6+, though I thought I had at one point. If it turns out you can reliably get from the lock screen of a pass code enabled iPhone to full access without using a registered fingerprint on the home button or typing in the pass code then use iPhone Feedback and include all of the details such as the exact model number and iOS build.

     

    tt2

  • by OrbitFlash,

    OrbitFlash OrbitFlash Sep 5, 2016 8:08 PM in response to turingtest2
    Level 1 (4 points)
    iPod
    Sep 5, 2016 8:08 PM in response to turingtest2

    Ok, thank you!

     

    Also, I have just found a video that shows the exact same scenario as mine, except for all I do is go to the home screen from the search instead of clicking "Share": <Link Edited by Host>

     

    Thanks again!

    ~Flash

  • by gail from maine,

    gail from maine gail from maine Sep 5, 2016 11:10 AM in response to OrbitFlash
    Level 7 (25,445 points)
    iCloud
    Sep 5, 2016 11:10 AM in response to OrbitFlash

    Are you absolutely certain that you do not have Touch ID enabled? I use Touch ID enabled for my thumb and did the following tests:

     

    1.     Pressed the Home button to talk to Siri with my thumb, followed your instructions, pressed the Home button at the end with my middle finger - went to Home screen

     

    2.     Pressed the Home button to talk to Siri with my middle finger, followed your instructions, pressed the Home button at the end with my thumb - went to Slide to Unlock screen

     

    3.     Pressed the Home button at the beginning and the end with my middle finger - went to Slide to Unlock screen

     

    So, on my 5s, running 9.3.5, it is only happening when I am providing my Touch ID at the beginning of the process.

     

    Cheers,

     

    GB

  • by OrbitFlash,

    OrbitFlash OrbitFlash Sep 5, 2016 11:12 AM in response to gail from maine
    Level 1 (4 points)
    iPod
    Sep 5, 2016 11:12 AM in response to gail from maine

    I am absolutely sure I do not have Touch ID enabled. About 3 months ago I had it enabled, but I removed it after wanting to get used to my password.

     

    Cheers.

    ~Flash