Apple iOS privacy FAIL: Lockscreen unsafe again, thanks to Siri [u3]

José Rodriguez is at it again. When will Apple finally rearchitect the lockscreen?

iOS 9 lockscreen bug
Apple Inc.

Yet again, Apple iOS 9.0 has a nasty lockscreen bug. It allows anyone to see your photos and contacts. And 9.0.1 doesn't fix the privacy vulnerability.

Your humble blogwatcher was contacted a few days back by the now-infamous José "VBarraquito" Rodriguez. He's found yet another privacy bug in the latest iOS's lockscreen. Apple has rushed out a patch for iOS 9.0, but is the flaw actually fixed? Er, apparently not.

Do you see the pattern here? José Rodriguez reported lockscreen failings in iOS versions 5.1–5.1.1, 6.0–6.1.3, 7.0–7.0.1, 8.0–8.3, 9.0 and now he says the bug is still in 9.0.1. 

#Golfclap: Surely it's time Apple got the root of the problem, rather than just duct-taping the edges, amirite?

In IT Blogwatch, bloggers experience déjà vu all over again [RIP, Yogi]. Not to mention: Video proof of this and many previous similar iOS bugs, dating back to version 5.1...

Your humble blogwatcher curated these bloggy bits for your entertainment.
[Developing story: Updated 4:25 am PT with many bug-demo videos, at 1:39 pm PT with more info, and at 6:58 am PT Saturday with reports that it's even easier to trigger than we thought.]

Update 2: I've heard from a number of users who've been able to reproduce the issue. There have also been a few who can't. For clarity, the issue has been reported on GM builds of 9.0, 9.0.1, and all current 9.1 beta builds. The first video shows an iPhone with an unusual home screen layout, but I'm assured that it's not jailbroken. The issue is reproducible with four- or six-number passcodes. Obviously I have no insight into Apple's proprietary source code, but the underlying problem smells very much like a poorly-designed software architecture -- or perhaps one that was originally designed well, but was then compromised by poor decisions (e.g., to add Siri support while locked). No comment as yet from Cupertino.

Carly Page was one of several other scribblers contacted by Rodriguez:

A 'serious' security flaw has been discovered in iOS 9 that allows gain access to users' personal data.

To replicate, simply enter four different incorrect passcodes, and...enter three digits of the fifth. Then, hold down the home button to fire up Siri as you enter the fourth. [Now] anyone is able to access the Contacts and Photos on the device.

If you're anything like us you probably don't like the idea of anyone being able to access your private photos. ... Apple has yet to return our request for comment.  MORE

Zach Epstein was, too:

There’s a lot to love in Apple’s newly released iOS 9. [But] it’s time to discuss iOS 9’s worst new feature: A major security flaw..

According to Apple, more than 50% of iPhone and iPad users have already upgraded...millions more will take delivery of their new iPhone 6 and iPhone 6s handsets, which will also be running [it]. ... All of these users are vulnerable to a simple hack.

[I've] been able to reproduce [it] on multiple iPhone 6 handsets...and it is painfully easy to exploit. ... An Apple spokesperson did not immediately respond to a request for comment.  MORE

Swati Khandelwal glows to bring us this:

Setting a passcode on your iPhone is the first line of defense. ... However, it's pretty easy for anyone to access your personal photographs and just 30 seconds...using the benevolent nature of Apple’s personal assistant Siri.

Users can protect themselves by disabling Siri on the lock screen.  MORE

Duncan Riley calls Apple "slack":

Following an already embarrassing week for Apple after the Xcodeghost malware fiasco, the tech giant is faced with more scrutiny.

Apple is very quick to boast about the fact that 50 percent of all Apple users have already upgraded to iOS 9, but it’s just a shame they can’t be more diligent when it comes to basic security.  MORE

Imran Hussain agrees with my analysis that the problem goes deeper:

With every new iOS release, Apple seems to forget to focus on the lockscreen and leaves around a security flaw. iOS 9 continues on the tradition.

I have been able to successfully replicate this issue on iOS 9.1 beta too. ... Apple has yet to address this issue.  MORE

Alas, poor Yorick Phoenix had his hopes of a fix dashed: [You're fired -Ed.]

Seems to be fixed under iOS 9.0.1.

[No] not fixed. Not every time though. ... Nasty flaw.  MORE

Update 3: The pseudonymous AM16 brings more bad news:

I can confirm that even with a ridiculously long password, all you need is Siri enabled in the lock screen and just have her give you the time by asking "what's the time".

Nothing but asking for the time needed and Siri actually bringing up the Clock app in a locked screen. [Or] just swipe up to bring the "Tools and quick settings" menu while the phone is locked, and just click on the clock.

*Sighs*  MORE

And Finally...
All the iOS lockscreen bug demos from José Rodriguez
[from newest to oldest, duplicates elided]

You have been reading IT Blogwatch by Richi Jennings, who curates the best bloggy bits, finest forums, and weirdest websites… so you don't have to. Catch the key commentary from around the Web every morning. Hatemail may be directed to @RiCHi or  Opinions expressed may not represent those of Computerworld. Ask your doctor before reading. Your mileage may vary. E&OE.

Copyright © 2015 IDG Communications, Inc.

Shop Tech Products at Amazon