The bug doesn’t affect all iPhones. It is restricted to last year’s iPhone 6s and 6s Plus as the exploit relies on the 3D Touch display technology introduced with the devices. The glitch has been demonstrated in videos on YouTube by Ideosdebarraquito and EverythingApplePro, as CNET reports.
The exploit begins by asking Siri to search Twitter, using voice commands from the lock screen. The aim is to find a search result that includes an email address, from which access to the phone can be obtained.
iPhone 6s and 6s Plus users can “force tap” email addresses in search results. Doing so displays a context menu with an option to “Add to Existing Contact.” Tapping the item reveals a full list of all the contacts stored on the phone.
An alternative option in the context menu, “Create New Contact,” displays the contact creation form when pressed. This allows you to select a photo to add to the contact card, revealing a grid of all the photos on the phone in the process. The flaw could allow an attacker to gain information about a person’s identity from their photo gallery before viewing details of their friends, family and co-workers.
There are ways in which iPhone 6s users can protect against the exploit. The simplest method is to disconnect Twitter from Siri, making it impossible to display the search results that provide access to the phone. Disconnecting Photos from Siri will prevent the digital assistant from accessing the gallery, disabling the second part of the attack.
Siri’s lock screen functionality can be turned off entirely from the “Touch ID & Passcode” section of the Settings app, providing the best protection. You won’t be able to use Siri while the phone is locked though, removing the convenience of the feature.
The flaw won’t affect every user. You have to own a new iPhone and be using Siri and Twitter for it to be enabled. Depending on the information stored on the phone, it could be enough to give an attacker insights into your personality and your connections with others though. Apple has not commented on the videos.
Lock screen exploits are a popular method of attack for opportunist phone thieves. They provide access to personal data without requiring lengthy PIN cracking procedures, defeating the entire point of using a passcode. Siri has eroded iOS lock screen security several times before in the past, a reminder that enabling lock screen apps tends to decrease the effectiveness of a PIN.
