Researcher discovers Apple pass code bypass vulnerability

Vulnerability Lab researcher reportedly discovers Apple pass code bypass flaw.
Vulnerability Lab researcher reportedly discovers Apple pass code bypass flaw.

A researcher at Vulnerability Lab claimed to have discovered a pass code bypass vulnerability in iOS 9.3.1-enabled iPhone 6S and 6S iPhone Plus devices which use the 3D Touch feature.

Benjamin Kunz Mejri discovered the vulnerability that “allows local attackers to bypass the physical device protection mechanism of the iPhones 6s and plus models,” according to an April 5 Full Disclosure mailing list archive.

An attack reportedly requires a low privileged iOS device user account and no user interaction in order to exploit.

Researchers estimated the vulnerability rating would be high with an estimated 6.1 exploitation on the common vulnerability scoring system. If exploited, the bug could result in unauthorized access a user's contacts, photos, text and picture messages, emails, and phone settings.

A source at Apple told SCMagazine.com that the vulnerability has already been patched without user interaction and is no longer exploitable.  

Skycure was unable to reproduce the exploit, company Chief Technology Officer (CTO) Yair Amit told SCMagazine.com via emailed comments, but said this wasn't the first time an exploit like this has been reported.

The vulnerability was similar to another alleged iOS bypass bug reported by that the security firm earlier this month that claimed to leverage Siri to gain unauthorized access to a device.

NSFOCUS International Business's Chief Research Analyst - Principal Engineer Stephen Gates told SCMagazine.com in emailed comments that vulnerabilities are not going away anytime soon.

“If every vulnerability had to be found before an operating system or application was launched or updated, nothing would ever be released,” Gates said.

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS