back to article iOS 9 security blooper lets you BYPASS PINs, eye up photos, contacts

A security flaw in iOS 9 allows anyone who has a locked Apple iThing in their hand to view its contacts and photos without having to enter a passcode. A chap called Jose Rodriguez has posted a YouTube video demonstrating the design blunder, which exploits Siri to access information on the handset from the PIN unlock screen. …

  1. Andy Non

    Software testing

    Apple: "Yes, we've heard of it."

    1. Mark 85 Silver badge

      Re: Software testing

      Apple: "Yes, we've heard of it."

      Add to that... "We're using the Microsoft model of testing. Our customers do it for us."

      1. ratfox
        Paris Hilton

        He that is without sin among you, let him first cast a stone at her

        Strange how complicated the world is, that nobody is able to write software without security bugs.

        PH for title.

  2. Dan Paul

    It's all about the complexity of OS software...

    not who writes it.

    The more complex you make an OS, the more likely it is that one of the contributors will screw up something. Unfortunately, they mostly don't keep good records of previous gaffes and rarely let the same person(s) do the same work on the new OS. THAT at least would make it difficult to forget "lessons learned". Changing people around like musical chairs doesn't help. "Multi-tasking" is only beneficial for the HR department not anyone else.

    And the funny thing is, this same shit happens with Apple, Microsoft, Linux greybeards, Google, etc, etc.

    1. Grikath

      Re: It's all about the complexity of OS software...

      Argh!! Common Sense!! Get the pitchforks and torches!! ;)

      Mind.... It *is* a bit ..silly.. that the security of the primary user entry point to [fruity device x] hasn't been triple-checked, followed up by some devious-mind "would it stand up against this?" attempts. Just to be sure.

      With complexity as it is, people have come to expect some ratholes in the dusty corners, but to bodge the lock on the front door? Now that's a serious Gaffe.

      1. big_D Silver badge

        Re: It's all about the complexity of OS software...

        This sort of bug seems to creep in with every other version.

        Anyone remember the "Emergency Pizza" option? Where on the PIN screen you couldn't just dial 911, but any telephone number...

        1. big_D Silver badge

          Re: It's all about the complexity of OS software...

          Or 112 for everybody outside of America. ;-)

    2. DropBear

      Re: It's all about the complexity of OS software...

      "not who writes it" [Citation needed]

      Not being able to complex write software that is completely free of obscure bugs is one thing; using what must be the equivalent of yellow "police line - do not cross" tape to "block" a front gate instead of an actual proper door and lock is just ludicrous and predictably results in all the headaches you can expect from such a rinky-dink solution. And no, it doesn't get any more excusable because most of the usual suspects idiots seem to be doing it. It just highlights that NO ONE actually gives a damn about any level of security (except the hackers, natch).

    3. Stevie

      The more complex

      you make an OS, the more likely it is that one of the contributors will screw up something.

      Yes, in an old-fashioned monolithic design, but all you bright young things spent ages after coming off your CS degree courses explaining loudly and slowly to us old-timers that the new, ultra-modularized world of OO design would make that a thing of the past because each class would be small, simple and easy to test (and presumably regression test, though I never saw that mentioned in print).

      I guess a poor workman still blames his/her tools, even when they have bright'n'shiny new names.

  3. Anonymous Coward
    Anonymous Coward

    Ah, the good olde fashioned Nokia 3310 could come out of retirement soon.

    At least Nokia was reliable and secure in it's day.

    Android and iOS both seem to be shite at security nowadays.

    1. John 104


      At least on Android you don't get to look at photos when you bring up your camera app. It politely asks you to enter your pin or swipe pattern to unlock.

      1. sleepy

        Re: Shameful

        Similar with IOS. (when it's working correctly!) You only get to use the camera when locked if the owner has enabled it, and when using the camera while locked, you only get to review the pictures you just took, not any already on the device.

      2. Anonymous Coward
        Anonymous Coward

        Re: Shameful

        No, you just need to enter a really long password and then you can bypass the lock screen ENTIRELY and have access to everything! At least Apple users will have a fix for this bug in a few weeks at most. How long will you have to wait for the lock screen bug to be fixed on your phone? Assuming you ever get a firmware update for it?

        1. Anonymous Coward
          Anonymous Coward

          Re: Shameful

          Oh wait, just read below that iOS 9.0.1 is already out and fixes it today. Pretty funny to see Android users slinging arrows at iPhone users over security, since we don't have to wait months or forever to for fixes!

          1. badger31

            Re: Shameful

            I have to admit that this is where Apple's model comes in to its own. How many devices can run iOS 9, and therefor need testing, compared to Android? Google can't test them all, so it's down to the manufacturers - they get android for free, after all. The flip side of that is that there's no dodging the blame here by Apple.

            1. Anonymous Coward
              Anonymous Coward

              Re: Shameful

              Exactly! Apple will issue a fix and 100% of devices with hardware capable of running iOS9 and/or with iOS 9 can be upgraded within a matter of days.

              Pity about android.

          2. Shades

            Re: Shameful

            That's weird... My friends iPhone has iOS 9.0.1 on it and I've just managed to post a status to her Facebook account using this bug. Fixed it is not.

  4. John 104

    Doing it Wrong

    If you are entering your pin incorrectly and then asking Siri to tell you the time, you are obviously doing it wrong. Just don't do those things and your device won't be vulnerable....

    1. Anonymous Coward
      Anonymous Coward

      Re: Doing it Wrong

      Getting a bit tedious.

      Can't think of anything original to say?

      Either show the original quote, from Apple, regarding "holding it wrong", or stop your OCD, will you?

      1. Anonymous Coward
        Anonymous Coward

        Re: Doing it Wrong

        "Either show the original quote, from Apple, regarding "holding it wrong", or stop your OCD, will you?"

        1. Anonymous Coward
          Anonymous Coward

          Re: Doing it Wrong

          In which case, the correct quip should be "Avoid entering the wrong PIN".

          Freetards: Here's how to use adverbs.

  5. Anonymous Coward
    Big Brother

    NSA calling!

    Siri took our coin

  6. Anonymous Coward
    Anonymous Coward

    Anyone still able to exploit this flaw?

    Have apple just pushed out a silent patch?

    About an hour ago I was able to exploit the flaw as described in the article. Now when I select Message or Mail etc. in the share screen (previously allowing me to enter that App and subsequently see the photos and contacts etc.) the phone bounces me straight to a screen asking for Touch ID or Passcode.

  7. anonymous boring coward Silver badge

    Looks like some regression.

    There used to be a bug that let you browse photos after pulling up the camera, without onlocking the phone. Many years ago.

  8. Synonymous Howard

    iOS 9.0.1 update now available...

    and trying the home button pin bypass did not work.

    1. Anonymous Coward
      Anonymous Coward

      Re: iOS 9.0.1 update now available...

      If this does indeed fix the bug, then it looks like it took them several hours to do so. No doubt everyone will still harp on endlessly about it.

      (Not an apple fan particularly, just amused at the tedious name-calling.)

      1. sabroni Silver badge

        Re: No doubt everyone will still harp on endlessly about it.

        No, half of them will harp on and on about how it's not important because it was patched quickly.

        (Not an apple hater particularly, just amused by the tedious excuses.)

  9. Joerg

    Bugs like these can't be found by chance... Anyone releasing the trick to the public is being paid by competitors or a competitor employee to do it on purpose. Someone had illegal access to the iOS source code and undisclosed list of known errata..

    1. Captain DaFt

      Ach! The tinfoil, it does nothing!

      Or maybe, just maybe, someone's passing on the access tricks to the public that Apple Passed to certain agencies?

    2. Anonymous Coward
      Anonymous Coward

      Finding bugs by chance

      No, they probably can't be found by chance. They can, however, be found by someone with a lot of time on their hands and the willingness to try a huge number of random prods at the system to see if it has any holes, in exchange for some momentary fame on the intarwebs. Such people do exist: 35 years ago they were pressing random buttons on calculators to get them into funny and interesting states and solving Rubik's cubes, today they poke at phones. I think doing interesting things to calculators and cubes was, well, more interesting, sadly.

    3. Deltics

      And presumably no-one get's struck by lightning by chance either. Anyone struck by lightning must be being paid by lightning competitors or doing it on purpose. Someone had heretical access to God's Great Weather Plan and stood in a spot where they knew they would get struck.

      Funny thing about chance... of the "1 in a XXXX" expression of probability, that "1" is a dead certainty... on that one occasion.

      And in the case of a repeatable phenomenon, you only need be aware of what's happening on that 1 time and then you can repeat it without running into those pesky odds each time.

      1. Richard 22

        million to one chances...

        ...happen 9 times out of 10

        (with apologies to the late, great Sir Terry Pratchett)

    4. sabroni Silver badge

      re: Joerg

      Like Eadon for Apple instead of linux. DFTT.

  10. Nexus1974

    How the hell did they figure that out

    How did they figure that sequence out would unlock the phone.

    Got too much time on their hands some people

    1. Steve Knox

      Re: How the hell did they figure that out

      No, they didn't have the time. They had to ask Siri for it. That's how they found the bug.

  11. Anonymous Coward
    Anonymous Coward

    Just ask Siri

    Hey, Siri, tell me about all the bugs...

  12. Amorous Cowherder

    Merketing PHBs unite!

    The more complex the product....

    The longer it takes to write...

    And to fix...

    The longer it takes to get to market....

    Marketing and Sales can't wait to do it properly so....

    PHBs step in and demand a release ASAP before the devs can test it thoroughly and *BINGO* there you have an utterly ridiculous and avoidable security risk!

    Which in turn ensures that with bad press means the marketing dept gets to do double shifts stamping out the fires, 'cos as we all know marketing depts are always the boil on the bum of any company, have neither scruples nor morals!

  13. Anonymous Coward
    Anonymous Coward

    It's easy really

    Locked should really mean locked - not some sort of reduced functionality mode.

    Locked with lots of access to "important" stuff e.g. music controls should be a separate state entirely.

  14. Emmeran

    After all those years flapping their pie holes

    The Apple fans should quietly accept the abuse they now receive. It's not so easy once you start to pump some real volume is it?

    Just go ahead and say it fanbois: "We were loudmouthed twits when MSFT had a problem and now we will silently suffer our just returns."

    1. Anonymous Coward
      Anonymous Coward

      Re: After all those years flapping their pie holes

      Or MSFT fanbois like you could rise above it and claim the moral high ground instead of being vindictive little pricks.

  15. yode

    Its not a security fault

    The phone is being unlocked when he hit the home button, his finger has registered on the phone and reconised(unlocking the phone) , try this technique using a finger that has not been registered by the phone, it won't work... this video is a fraud.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022