Security issue with iOS 8.4 Public Beta 2

Discussion in 'iOS 8' started by nerdriot, May 28, 2015.

  1. nerdriot macrumors regular

    nerdriot

    Joined:
    May 16, 2015
    #1
    I wanted to post this year just in case anyone else was able to re-create what I've done. First, I asked Siri to locate a family member which brought up a map of their location on the lock screen. Tapping the map automatically opens maps, without having to unlock the phone. I tested this with other apps as well, namely Twitter and Facebook, and almost invariably it would allow me to bypass the touch ID and passcode and automatically launch the app by simply asking Siri from the lock screen to open them.

    I don't remember this being an issue in 8.3. Before, it would always say, "You need to unlock your iPhone first."
     
  2. C DM, May 28, 2015
    Last edited: May 28, 2015

    C DM macrumors Westmere

    Joined:
    Oct 17, 2011
    #2
    How did you go about activating Siri on the lock screen to begin with, so that you could make your requests?
     
  3. dearfriendx macrumors 6502

    dearfriendx

    Joined:
    Jun 3, 2011
    Location:
    San Diego, CA
    #3
    Wow I just tried this. Needs attention. I'll report it also
     
  4. nerdriot thread starter macrumors regular

    nerdriot

    Joined:
    May 16, 2015
    #4
    I also reported it in the Feedback app. Certainly others have noticed this and reported it as well, so hopefully this will be fixed in the next release.

    So just as a heads-up for any of you running 8.4 beta on your device, it's probably a good idea to keep your device in your sight and try your best not to misplace it. This could be a potentially dangerous issue.
     
  5. C DM macrumors Westmere

    Joined:
    Oct 17, 2011
    #5
    So anyone care to answer how they are accessing Siri from the lockscreen?
     
  6. netsped macrumors regular

    Joined:
    Jul 8, 2008
    #6
    I bet they are holding the home button/touch id sensor with their registered finger thus unlocking the phone and activating Siri with one touch.

    On my iPhone 6 with iOS 8.3 if I activate Siri with a finger that is not registered, it will ask me to unlock the iPhone before doing certain things (like placing a call or opening an app).
     
  7. C DM macrumors Westmere

    Joined:
    Oct 17, 2011
    #7
    That's basically what I was trying to figure out. Vast majority of these types of "exploits" end up coming down to that (and thus not being exploits).
     
  8. nerdriot thread starter macrumors regular

    nerdriot

    Joined:
    May 16, 2015
    #8

    Sorry for the belated response. You'll find it in Settings > Touch ID & Passcode. [​IMG]
     
  9. C DM macrumors Westmere

    Joined:
    Oct 17, 2011
    #9
    Right, that's the setting to allow it to be used on the lock screen. So once that is enabled, and you are on the lock screen, what did you do to bring up Siri there?
     
  10. nerdriot thread starter macrumors regular

    nerdriot

    Joined:
    May 16, 2015
    #10
    I held down the home button, which leads me to believe you guys are most likely correct; I'm using a finger that I've enabled for Touch ID, so that may be the case.

    However, I had someone I know who uses 8.3 try the same thing and it didn't happen. They may have been using a different finger.

    ----------

    Sorry for the misunderstanding, by the way. I thought you were asking how to activate Siri for use on the lock screen. My brain isn't fully functional today.
     
  11. C DM macrumors Westmere

    Joined:
    Oct 17, 2011
    #11
    No problem. Yeah, it sounds like that's what's behind something like this--using a finger registered with TouchID to bring up Siri, which unlocks the phone in the process.
     
  12. nerdriot thread starter macrumors regular

    nerdriot

    Joined:
    May 16, 2015
    #12
    That seems to be the case. I have three registered prints, and when I used an unregistered finger I couldn't reproduce the issue after multiple attempts.

    Looks as though this is a total non-issue lol. It had me a little frightened though for a moment.
     
  13. gsmornot macrumors 68030

    gsmornot

    Joined:
    Sep 29, 2014
    #13
    I turned Siri off from the lockscreen a long time back because I could ask for my address and get it without unlocking. In some cases it might get your device back to you but generally I don't want to make that info available.

    It removes my ability to use Hey Siri but in the end, that's OK.
     
  14. C DM macrumors Westmere

    Joined:
    Oct 17, 2011
    #14
    I'm assuming that's because you have your addressed stored in your contacts, right?
     
  15. dearfriendx macrumors 6502

    dearfriendx

    Joined:
    Jun 3, 2011
    Location:
    San Diego, CA
    #15
    Update: I've been contacted by Apple's security team for this bug I reported yesterday. They wanted to make sure it was possible to activate Siri with a fingerprint not stored. Indeed I can activate Siri with any finger and infiltrate the iPhone. They also made sure I could reproduce the event with my passcode being required immediately. Indeed...I can still enter the phone without needing a passcode or fingerprint.
     
  16. C DM macrumors Westmere

    Joined:
    Oct 17, 2011
    #16
    Not really sure what's happening in your case, but in what the OP has described and followed up on the actions were launching Siri and unlocking the phone at the same time.
     
  17. dearfriendx macrumors 6502

    dearfriendx

    Joined:
    Jun 3, 2011
    Location:
    San Diego, CA
    #17
    The OP described (in their original post) activating Siri from the lock screen, asking Siri to find a family member/friend using Find My Friends and tapping the map that pops up. It unlocks the phone into that app. No fingerprint or passcode needed. It can be reproduced 100% of the time.
     
  18. C DM macrumors Westmere

    Joined:
    Oct 17, 2011
    #18
    And further discussion shows that the OP used a registered finger to launch Siri which unlocked the phone in the process. Using an unregistered finger didn't result in the same thing, again, as mentioned in follow up posts by the OP.
     
  19. zackattack784 macrumors member

    Joined:
    Sep 17, 2014
    #19
    It's highly likely he's doing the same thing but failing to read anything that's been posted in this thread because he wants to find the "latest" security vulnerability.
     
  20. simon lefisch macrumors 6502a

    simon lefisch

    Joined:
    Sep 29, 2014
    #20
    I'm assuming you all have Touch ID enabled to unlock the phone? If so, try doing the same thing with Touch ID unlock disabled.
     
  21. dearfriendx macrumors 6502

    dearfriendx

    Joined:
    Jun 3, 2011
    Location:
    San Diego, CA
    #21
    I'm very much aware of the situation. Thanks.

    Regardless of what the OP apologized for down the road (unlocking his phone with a stored Touch ID finger...big duh there) I can access my phone without needing a stored fingerprint. Let alone any object hard enough to hold down the home button to activate Siri. Be smarter guys *thumbs up*

    ----------

    It cannot be replicated without Touch ID enabled for iPhone Unlock because this is a Touch ID issue
     
  22. C DM macrumors Westmere

    Joined:
    Oct 17, 2011
    #22
    Well, seems like you are the only one that cans somehow do something like that then.

    As for being smarter, asking all these questions rather than jumping to conclusions is in fact being smarter given that answers often come out of them, as happened in this thread. But thanks for the lesson. Thumbs up indeed.
     
  23. haulis macrumors regular

    Joined:
    Mar 11, 2009
  24. iamMacPerson macrumors 68030

    iamMacPerson

    Joined:
    Jun 12, 2011
    Location:
    AZ/10.0.1.1
    #24
    Not happening on DP3. FWIW I do have a complex passcode enabled and have changed it since I installed the beta.
     
  25. The Doctor11 macrumors 603

    The Doctor11

    Joined:
    Dec 15, 2013
    Location:
    New York

Share This Page