Sign up to our newsletter
A major security flaw has been identified in the latest version of Apple’s mobile operating system, iOS 9.
It was highlighted by an individual known as Jose Rodriguez, who posted a proof-of-concept video on YouTube (which you can view below).
In it he revealed that cybercriminals are able to exploit a fundamental weakness in iOS 9, which allows them to gain access to a device via Siri.
Mr Rodriguez, whose background and occupation remains unclear, demonstrates as much in the video.
He begins by entering the incorrect passcode, which he repeats three more times (he shows beforehand what the actual passcode is).
On the fifth attempt, however, before he can be locked out, he quickly holds down on the home button after typing in the last digit.
This brings up Siri and he then asks, in Spanish, what time it is. The voice-activated personal assistant responds to this prompt by bringing up the device’s inbuilt clock.
After tapping on the clock and then pressing the + icon, Mr Rodriguez is presented with search capabilities, from which he can gain entry into iMessages.
Now he can view any of the contacts stored on the smartphone, including profile pictures, numbers and additional information like emails and addresses.
He also shows how an attacker can browse through a user’s photographs by adding a profile.
While access to other parts of the device remain off-limits, this nevertheless offers cybercriminals access to sensitive information, which can be used to their advantage.
Apple has since been notified of the vulnerability. In the interim of another security update to iOS 9, Mr Rodriguez advises users to disable Siri.
This is an interesting find, as Apple has pitched iOS 9 as one of the most secure operating systems around.
The latest edition comes with enhanced features, including a stronger passcode and a revamped two-factor authentication process (2FA).
Author Karl Thomas, ESET