A new video released this week shows an iOS 9 security flaw that allows bypassing the passcode protected lock screen, granting access to the device’s stored photos and contacts. The flaw does require physical access to the device, and is somewhat involved, so by keeping their device where it belongs, (in their hands), most users shouldn’t have to worry about it.
AppleInsider reports the process was discovered by Jose Rodriguez, who uncovered a similar flaw in iOS 6.1. a few years back. The procedure takes advantage of an apparent bug in Siri’s lock screen access, and the iOS 9 five-attempt lockout policy. (As seen in the video below.)
Rodriguez says he does not own the phone used in the demonstration, and he also does not have any fingerprints registered on the device’s Touch ID sensor. The attack can only be used on devices protected by four or six digit passcodes. If you use a long alphanumeric password, you’re apparently safe.
Apple has yet to fix the bug, as AppleInsider reports yesterday’s iOS 9.0.1 update, nor the iOS 9.1 beta contain fixes.
As we mentioned, the bug does require physical access to the device, so keeping your device on you at all times is the best protection. However, users can protect against the flaw by either using a long alphanumeric password, or by disabling Siri lock screen access by going to “Settings” -> “Touch ID & Passcode,” entering their passcode, and deactivating Siri under the “Allow access when locked” setting.