September 19, 2013

iOS 7 Lockscreen Bypass

Today it was reported that the latest version of Apple’s mobile operating system, iOS 7, has a flaw that allows an unauthorized person to bypass the lockscreen and access sensitive data and services. We investigated the flaw and discovered that, beyond what’s been previously reported, it extends beyond the timer app to include the calculator app. Additionally, we discovered that it’s possible to completely expose the contacts list.

The good news is, it’s easy to stay safe while waiting until Apple issues a fix:

  • Go to the settings app
  • Select the settings for “control center” and disable “control center”, “notification center” and “Siri” on the lockscreen


How it works

When the iPhone is locked, it is possible to access the new “control center” by swiping upwards on the lockscreen (in the same way that you could swipe upwards in iOS 6 in order to access the camera app). In our test of the vulnerability, we discovered that there is more to this flaw than previously reported.

Once activated by default the new control center allows you to access 4 applications:

  1. The flashlight app – turns the camera “Flash on” for use as a flashlight
  2. The timer app – allows you access to the alarm clock app to set reminders
  3. The calculator app – allows access to the onboard calculator
  4. The camera app – allows to access the phones camera

The vulnerability lies with both the timer app and the calculator app. By completing the following sequence it is possible to sidestep the lockscreen security and access sensitive services and data underneath:

  1. Start either the calculator or timer app
  2. Press the power button once to bring up the “swipe to power off” message
  3. Tap cancel
  4. Double tap the home button
  5. You should now have access to the control screen for iOS 7’s “multitasking” capability
  6. Congratulations! You now have (limited) access to a number of sensitive features

Impact

With this vulnerability, it’s possible to access the full camera app, instead of the limited functionality version you normally get by starting the camera app from a locked device from the multitasking screen. This allows an unauthorized party to perform any of the normal activities that would be available within the camera app:

  • Take photos
  • View all the photographs stored on the device
  • Share (upload) the photographs via email, and SMS
  • Post photos and text to the owner’s Twitter, Facebook and/or Flickr accounts (if configured)
  • Edit and delete photos

From the camera app, it is possible to access other features including all of the contacts when you choose to share a message. This gives the ability to edit or delete those contacts and even set up restrictions to block certain callers.

Even Siri has been implicated in this flaw – it has been found that you can ask Siri to put a locked phone into airplane mode. By turning off the telephony services, WIFI services and GPS like this an unauthorized person could prevent a missing  device from being located electronically.”

Finally, the multitasking screen also gives you the ability to kill any running applications, such as for example a security application.

It appears that Apple is restricting access to applications called from the clockscreen through a (flawed) whitelist, as if you trigger any other apps or activate any features not related to the functionality described above, that attempt fails silently without any visible effect. The problem here is that unlike when you call a permitted app from this locked state you are given access to the full app rather than a restricted version such as when you called the camera app by swiping the iPhone lockscreen in iOS 7.

Leave a comment