Vulnerability Management

Researcher discovers Apple pass code bypass vulnerability

A researcher at Vulnerability Lab claimed to have discovered a pass code bypass vulnerability in iOS 9.3.1-enabled iPhone 6S and 6S iPhone Plus devices which use the 3D Touch feature.

Benjamin Kunz Mejri discovered the vulnerability that “allows local attackers to bypass the physical device protection mechanism of the iPhones 6s and plus models,” according to an April 5 Full Disclosure mailing list archive.

An attack reportedly requires a low privileged iOS device user account and no user interaction in order to exploit.

Researchers estimated the vulnerability rating would be high with an estimated 6.1 exploitation on the common vulnerability scoring system. If exploited, the bug could result in unauthorized access a user's contacts, photos, text and picture messages, emails, and phone settings.

A source at Apple told that the vulnerability has already been patched without user interaction and is no longer exploitable.  

Skycure was unable to reproduce the exploit, company Chief Technology Officer (CTO) Yair Amit told via emailed comments, but said this wasn't the first time an exploit like this has been reported.

The vulnerability was similar to another alleged iOS bypass bug reported by that the security firm earlier this month that claimed to leverage Siri to gain unauthorized access to a device.

NSFOCUS International Business's Chief Research Analyst - Principal Engineer Stephen Gates told in emailed comments that vulnerabilities are not going away anytime soon.

“If every vulnerability had to be found before an operating system or application was launched or updated, nothing would ever be released,” Gates said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.