back to article iOS 9 security blooper lets you BYPASS PINs, eye up photos, contacts

A security flaw in iOS 9 allows anyone who has a locked Apple iThing in their hand to view its contacts and photos without having to enter a passcode. A chap called Jose Rodriguez has posted a YouTube video demonstrating the design blunder, which exploits Siri to access information on the handset from the PIN unlock screen. …

Silver badge

Software testing

Apple: "Yes, we've heard of it."

15
1
Silver badge

Re: Software testing

Apple: "Yes, we've heard of it."

Add to that... "We're using the Microsoft model of testing. Our customers do it for us."

17
1
Silver badge
Paris Hilton

He that is without sin among you, let him first cast a stone at her

Strange how complicated the world is, that nobody is able to write software without security bugs.

PH for title.

3
5

It's all about the complexity of OS software...

not who writes it.

The more complex you make an OS, the more likely it is that one of the contributors will screw up something. Unfortunately, they mostly don't keep good records of previous gaffes and rarely let the same person(s) do the same work on the new OS. THAT at least would make it difficult to forget "lessons learned". Changing people around like musical chairs doesn't help. "Multi-tasking" is only beneficial for the HR department not anyone else.

And the funny thing is, this same shit happens with Apple, Microsoft, Linux greybeards, Google, etc, etc.

12
1

Re: It's all about the complexity of OS software...

Argh!! Common Sense!! Get the pitchforks and torches!! ;)

Mind.... It *is* a bit ..silly.. that the security of the primary user entry point to [fruity device x] hasn't been triple-checked, followed up by some devious-mind "would it stand up against this?" attempts. Just to be sure.

With complexity as it is, people have come to expect some ratholes in the dusty corners, but to bodge the lock on the front door? Now that's a serious Gaffe.

4
0
Silver badge

Re: It's all about the complexity of OS software...

This sort of bug seems to creep in with every other version.

Anyone remember the "Emergency Pizza" option? Where on the PIN screen you couldn't just dial 911, but any telephone number...

0
0
Silver badge

Re: It's all about the complexity of OS software...

Or 112 for everybody outside of America. ;-)

1
2
Silver badge
WTF?

Re: It's all about the complexity of OS software...

"not who writes it" [Citation needed]

Not being able to complex write software that is completely free of obscure bugs is one thing; using what must be the equivalent of yellow "police line - do not cross" tape to "block" a front gate instead of an actual proper door and lock is just ludicrous and predictably results in all the headaches you can expect from such a rinky-dink solution. And no, it doesn't get any more excusable because most of the usual suspects idiots seem to be doing it. It just highlights that NO ONE actually gives a damn about any level of security (except the hackers, natch).

0
2
Silver badge

The more complex

you make an OS, the more likely it is that one of the contributors will screw up something.

Yes, in an old-fashioned monolithic design, but all you bright young things spent ages after coming off your CS degree courses explaining loudly and slowly to us old-timers that the new, ultra-modularized world of OO design would make that a thing of the past because each class would be small, simple and easy to test (and presumably regression test, though I never saw that mentioned in print).

I guess a poor workman still blames his/her tools, even when they have bright'n'shiny new names.

4
0
Anonymous Coward

Ah, the good olde fashioned Nokia 3310 could come out of retirement soon.

At least Nokia was reliable and secure in it's day.

Android and iOS both seem to be shite at security nowadays.

2
1
Silver badge

Shameful

At least on Android you don't get to look at photos when you bring up your camera app. It politely asks you to enter your pin or swipe pattern to unlock.

1
7

Re: Shameful

Similar with IOS. (when it's working correctly!) You only get to use the camera when locked if the owner has enabled it, and when using the camera while locked, you only get to review the pictures you just took, not any already on the device.

10
0
Silver badge

Re: Shameful

No, you just need to enter a really long password and then you can bypass the lock screen ENTIRELY and have access to everything! At least Apple users will have a fix for this bug in a few weeks at most. How long will you have to wait for the lock screen bug to be fixed on your phone? Assuming you ever get a firmware update for it?

6
1
Silver badge

Re: Shameful

Oh wait, just read below that iOS 9.0.1 is already out and fixes it today. Pretty funny to see Android users slinging arrows at iPhone users over security, since we don't have to wait months or forever to for fixes!

7
1

Re: Shameful

I have to admit that this is where Apple's model comes in to its own. How many devices can run iOS 9, and therefor need testing, compared to Android? Google can't test them all, so it's down to the manufacturers - they get android for free, after all. The flip side of that is that there's no dodging the blame here by Apple.

3
1
Anonymous Coward

Re: Shameful

Exactly! Apple will issue a fix and 100% of devices with hardware capable of running iOS9 and/or with iOS 9 can be upgraded within a matter of days.

Pity about android.

1
1

Re: Shameful

That's weird... My friends iPhone has iOS 9.0.1 on it and I've just managed to post a status to her Facebook account using this bug. Fixed it is not.

1
0
Silver badge

Doing it Wrong

If you are entering your pin incorrectly and then asking Siri to tell you the time, you are obviously doing it wrong. Just don't do those things and your device won't be vulnerable....

9
2
Anonymous Coward

Re: Doing it Wrong

Getting a bit tedious.

Can't think of anything original to say?

Either show the original quote, from Apple, regarding "holding it wrong", or stop your OCD, will you?

4
14
Anonymous Coward

Re: Doing it Wrong

"Either show the original quote, from Apple, regarding "holding it wrong", or stop your OCD, will you?"

http://www.engadget.com/2010/06/24/apple-responds-over-iphone-4-reception-issues-youre-holding-th/

3
1
Anonymous Coward

Re: Doing it Wrong

In which case, the correct quip should be "Avoid entering the wrong PIN".

Freetards: Here's how to use adverbs.

2
1
Silver badge
Big Brother

NSA calling!

Siri took our coin

0
0

Anyone still able to exploit this flaw?

Have apple just pushed out a silent patch?

About an hour ago I was able to exploit the flaw as described in the article. Now when I select Message or Mail etc. in the share screen (previously allowing me to enter that App and subsequently see the photos and contacts etc.) the phone bounces me straight to a screen asking for Touch ID or Passcode.

0
0
Silver badge

Looks like some regression.

There used to be a bug that let you browse photos after pulling up the camera, without onlocking the phone. Many years ago.

0
0

iOS 9.0.1 update now available...

and trying the home button pin bypass did not work.

2
0
tfb

Re: iOS 9.0.1 update now available...

If this does indeed fix the bug, then it looks like it took them several hours to do so. No doubt everyone will still harp on endlessly about it.

(Not an apple fan particularly, just amused at the tedious name-calling.)

6
1
Silver badge

Re: No doubt everyone will still harp on endlessly about it.

No, half of them will harp on and on about how it's not important because it was patched quickly.

(Not an apple hater particularly, just amused by the tedious excuses.)

2
3

Bugs like these can't be found by chance... Anyone releasing the trick to the public is being paid by competitors or a competitor employee to do it on purpose. Someone had illegal access to the iOS source code and undisclosed list of known errata..

0
23
Silver badge

Ach! The tinfoil, it does nothing!

Or maybe, just maybe, someone's passing on the access tricks to the public that Apple Passed to certain agencies?

0
0
tfb

Finding bugs by chance

No, they probably can't be found by chance. They can, however, be found by someone with a lot of time on their hands and the willingness to try a huge number of random prods at the system to see if it has any holes, in exchange for some momentary fame on the intarwebs. Such people do exist: 35 years ago they were pressing random buttons on calculators to get them into funny and interesting states and solving Rubik's cubes, today they poke at phones. I think doing interesting things to calculators and cubes was, well, more interesting, sadly.

7
0

And presumably no-one get's struck by lightning by chance either. Anyone struck by lightning must be being paid by lightning competitors or doing it on purpose. Someone had heretical access to God's Great Weather Plan and stood in a spot where they knew they would get struck.

Funny thing about chance... of the "1 in a XXXX" expression of probability, that "1" is a dead certainty... on that one occasion.

And in the case of a repeatable phenomenon, you only need be aware of what's happening on that 1 time and then you can repeat it without running into those pesky odds each time.

10
0

million to one chances...

...happen 9 times out of 10

(with apologies to the late, great Sir Terry Pratchett)

0
0
Silver badge

re: Joerg

Like Eadon for Apple instead of linux. DFTT.

1
0

How the hell did they figure that out

How did they figure that sequence out would unlock the phone.

Got too much time on their hands some people

3
0
Silver badge
Holmes

Re: How the hell did they figure that out

No, they didn't have the time. They had to ask Siri for it. That's how they found the bug.

6
0
Anonymous Coward

Just ask Siri

Hey, Siri, tell me about all the bugs...

0
0
Facepalm

Merketing PHBs unite!

The more complex the product....

The longer it takes to write...

And to fix...

The longer it takes to get to market....

Marketing and Sales can't wait to do it properly so....

PHBs step in and demand a release ASAP before the devs can test it thoroughly and *BINGO* there you have an utterly ridiculous and avoidable security risk!

Which in turn ensures that with bad press means the marketing dept gets to do double shifts stamping out the fires, 'cos as we all know marketing depts are always the boil on the bum of any company, have neither scruples nor morals!

0
0
Anonymous Coward

It's easy really

Locked should really mean locked - not some sort of reduced functionality mode.

Locked with lots of access to "important" stuff e.g. music controls should be a separate state entirely.

1
1

After all those years flapping their pie holes

The Apple fans should quietly accept the abuse they now receive. It's not so easy once you start to pump some real volume is it?

Just go ahead and say it fanbois: "We were loudmouthed twits when MSFT had a problem and now we will silently suffer our just returns."

1
3
Anonymous Coward

Re: After all those years flapping their pie holes

Or MSFT fanbois like you could rise above it and claim the moral high ground instead of being vindictive little pricks.

1
0

Its not a security fault

The phone is being unlocked when he hit the home button, his finger has registered on the phone and reconised(unlocking the phone) , try this technique using a finger that has not been registered by the phone, it won't work... this video is a fraud.

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017