iOS 7 Lock Screen Vulnerability Gives Access to Photos, Email

[legacyb4]

Me too; as soon as I saw the new settings for the Control Center in Settings, I disabled it.

However, you can still ask Siri to do a lot of stuff, including revealing the contents of your address book, etc. even when locked.

The first thing I turned off when I installed iOS 7.

The control center is a bit too much power for someone to have over my phone if they don't know my passcode.

 

[little.pm]

the sky is falling! the sky is falling! im sure the average iphone thief knows that rubix cube procedure so he can get you where it hurts! a post on facebook!

yeah, best he posts with current location

 

[apollo1444]

now I know how to stalk other peoples pics, contacts and personal info thanks for the tip...

 

[macrumors12345]

Weird

Doesn't reproduce on my iPhone 5 with iOS 7. I wonder what is special about his particular phone.

 

[SoCalMike]

Lock means Lock

I don't understand why we 'lock' our phone, but oh, I do want easy access to this, or to that, or to do this fun little feature. Lock the mother up. Period. I get it, it should work. One of the first things I did was disable my control center from showing up in the lock screen. Duh . . . .

 

[coolfactor]

Apple really needs to implement a full lockdown lockscreen option. Where all you can do is swipe to unlock. No playing music, emergency dialing, answering calls, silencing alarm, &c. Just complete and total lockdown for people with sensitive information.

You can. Did you read? You can disable Notification Center and Control Center on the Lock screen. That would avoid what''ver is going on here.

That said, I've been unable to reproduce this hack on my iPhone 4.

 

[IGregory]

I guess developers and beta testers were unable to find this bug, ha. Or, is this guy smarter than the rest.

 

[virginblue4]

Cannot replicate it for the life of me on my iPhone 5.

 

[Jack Dangers]

However, you can still ask Siri to do a lot of stuff, including revealing the contents of your address book, etc. even when locked.

Yes, I noticed that today. Siri easily gave out my address from the lock screen. Was it like this in iOS6? They should really do something about it.

 

[The-Pro]

always amazes me that people most likely spend hours on the lock screen, pressing every combination of buttons and functions, guess he tried that with the flashlight, airplane mode and all that aswell just to find something like this.

if tried this exactly 25 times now, succeeded once. Not exactly effective if you are under time pressure is it.
Oh and, plug the phone into a mac, open image capture, and baaam, all photos at your disposal.

 

[Raizen.Z09]

Ahh… I did it. It works.

Just make sure you turn off the "Accessibility Shortcut" in General > Accessibility. Uncheck all the options. Also, you need to do it quickly before the "Cancel" button goes all the way down the screen, and try to hold your second press of the Home Button just a slightly little bit longer.

 

[bbeagle]

This vulnerability proves the need for TouchID even more.

The main reason for all these easy-to-do things on the lockscreen is that you want to get to something quickly without having to swipe and type in your passcode. I just want to take a picture, not spend 5 seconds to do that first.

With the fingerprint scanner, just grab the phone with your finger holding the fingerprint scanner, and you're unlocked in less than a second, and you have access to that camera right away. No real need for that lock screen functionality like you used to be.

 

[kwikdeth]

confirmed on a 4 and 5 both running 7.0. Was able to send out iMessages from the devices. Best fix is disabling control center access from the lock screen.

----------

Cannot replicate it for the life of me on my iPhone 5.

i was able to reproduce this on a 4 and a 5. the 5 was extremely touchy on doing it - i had to try four times on a 5 before it worked - but it *did* work.

 

[chrismac2]

With passcode lock setting to "immediately", I am unable to duplicate this behavior whatsoever. The video demo does not seem to indicate the device's passcode lock setting period, so I do not buy this story until further proof.

This!

Only when I have "require passcode" set to anything other than "immediately" am I able to get the "exploit" to work. And then it's only because the required amount of time since I locked it hasn't elapsed yet to actually require a passcode to unlock it.

 

[coolfactor]

I agree, but I discovered a side effect... No more AirPlay control from the lock screen if music is playing. Apple pulled the AirPlay button from the playback controls on the lock screen as well as in the Music app. I have already submitted feedback to bring the AirPlay button back. If you disable Control Center while in an app there is no way I could find to activate AirPlay while in the Music app playing music. This is definitely a usability flaw.

Same for orientation lock. In several situations, it's impossible to even open Control Center within an app because it won't respond if a keyboard is displayed along the bottom of the screen, for example. So I need to leave the app or that mode of it, open Control Center, change the setting, and then return to the app. Big usability flaw for something that was trivial to do before.

 

[borba]

me neither!

ive been trying to get this to happen, cant make it work on my 5.

Me neither.

 

[coolfactor]

This!

Only when I have "require passcode" set to anything other than "immediately" am I able to get the "exploit" to work. And then it's only because the required amount of time since I locked it hasn't elapsed yet to actually require a passcode to unlock it.

Hmmm, maybe that's why I was also unable to reproduce this "exploit". I changed my setting to Immediately to test it out and it wasn't working. It's obvious that access would be granted within any other allowed time period.

Gonna test that theory now...

 

[phillipduran]

HA!

My power button is broken! Can't touch this!

At least until my 5s is delivered.

 

[ercanbas]

I got this to work on my iPhone 5 and even more, I was able to navigate the whole phone after.

Here's what I did:

After pressing the cancel button for powering down on the clock app, I press the home button until the apps displayed and kept clicking on the photo album until it opened up, then even scarier, I simply pressed the home button and was able to have FULL access to the iPhone. Can anyone else confirm this?

 

[Essex711]

Issue fixed in new release?

7.0.1 is out.

Image

Is the exploit that is mentioned above fixed in the new release?

 

[johncrab]

There are two sides to security of anything from a house to an iOS device. A) One side must anticipate every conceivable way a person might try to get in and set up security to prevent that from happening while still allowing the house (or device) to be accessed without hassle by the rightful owner, B) The one looking for the single vulnerability that was missed.

I think Apple has done a great job of adding security without it being in the way and I am sure they will continue to improve security with updates as they always have. A device that is totally secure would be one that is powered down, placed in a steel box and the lid welded shut. That would make it a bit difficult to use.

 

[Swift]

Oh thanks, hackers

I just tried this and "iPhone is disabled." These guys live in a netherworld. Oh, wait, they're "security researchers."

 

[Raizen.Z09]

For all those who can't replicate the bug. First try turn off your "Accessibility Shortcut" (triple-click home button) in Accessibility.

 

[virginblue4]

confirmed on a 4 and 5 both running 7.0. Was able to send out iMessages from the devices. Best fix is disabling control center access from the lock screen.

----------



i was able to reproduce this on a 4 and a 5. the 5 was extremely touchy on doing it - i had to try four times on a 5 before it worked - but it *did* work.

I believe that it works I just cannot replicate it at all. Tried over 15 times! Oh well, suppose that's not a bad thing haha

 

[Xenomorph]

Maybe tomorrow's release of 7.0.1 will address this?

7.0.1 was already released on the 18th. This impacts 7.0 and 7.0.1.

If the fix isn't in 7.0.2 (which has been in testing), then maybe it will be fixed in 7.0.3.