14 DAY TRIAL // A new security flaw discovered in iOS allows pretty much anyone with access to your phone to bypass the passcode protection (it doesn’t even matter if you configured Touch ID or not) and look at your photos or read the existing messages.
Discovered by EverythingApplePro and iDeviceHelps, this glitch uses Siri to break into the device, and all it takes is a few simple steps. What’s more important to know is that the same flaw exists on iOS 8 and newer, including 10.2 beta 3, but Apple is very likely to patch it in the next beta now that it has gone public.
How to reproduce the bug
First and foremost, what you need to do is to find out the phone number of the victim’s iPhone, and in case you don’t know it just yet, simply ask Siri “Who am I?” As mentioned, this involves having access to the iPhone you want to break into.
The next step comes down to calling the victim’s phone using the phone number previously obtained from Siri - you can also start a FaceTime call, that will do it too. Click Message and then Custom Message to proceed to the New Message screen when you are allowed to type a reply.
Next, activate Siri using the Home button and say “Turn on Voice Over.” You’ll hear a confirmation message saying “OK, I turned on VoiceOver” and then go back to the message screen.
The next step might not succeed from the first attempt, so you may have to try several times: double tap the bar where you input the caller’s name and then hold, while immediately click on the keyboard. Repeat as many times as needed until you see a slide-in effect on the screen above the keyboard. You can then ask Siri to “Turn off VoiceOver.”
Next, simply type in the first letter of a contact’s name in the top bar, tap the circular “i” icon next to the name, and then create a new contact. Select add photo, choose photo, and you’re in. You should be able to see the gallery just like you’d browse the phone, even though the iPhone is still in the locked state.
Reading messages is possible by simply selecting any contact, and you should be able to see all previous conversations with that contact.
How to protect against the bug
Until Apple fixes this bug, the easiest way to stay safe is to disable Siri on the lock screen. To do this, launch Settings and go to Siri > Access on Lock Screen and toggle the switch to disable.
Apple is most likely aware of the bug already, so expect a fix to be provided in the coming days. The full version of iOS 10.2 will most certainly include a patch against this flaw.
