It appears that iOS 6.1.3 presents yet another opportunity for attackers to bypass the passcode lock and access the telephone app – which includes information such as the user’s call history and address book data and allows intruders to open the photo gallery and send emails. As demonstrated by a user called VideosdeBarraquito on YouTube, the vulnerability is contained in the old voice dial feature that Apple introduced with the iPhone 3GS in 2009 and which is available as an alternative to Siri up to the iPhone 5. VideosdeBarraquito had also flagged up the vulnerability that Apple fixed with iOS 6.1.3.
Devices become vulnerable if a user hasn’t explicitly disabled voice dialling when the code lock enabled – in which case all a potential attacker needs to do is voice dial a number and remove the SIM card from the device immediately afterwards; this will bypass the code lock and give access to the telephone app. The H‘s associates at Mac & i were able to reproduce the vulnerability on an iPhone 4S under iOS 6.1.3, although the method didn’t work every time.
Enabling Siri instead of the voice dial feature on an iPhone 4S and iPhone 5 makes it impossible to bypass the code lock this way. There also seems to be no access if an alphanumeric passcode is set instead of the four-digit PIN. Users who have disabled Siri can easily mitigate the effects of this vulnerability: voice dialling can be disabled in the iOS settings for the Passcode Lock (under “General”) and will then no longer be accessible from the lock screen.
Apple released iOS 6.1.3 on Tuesday night; among other things, the update fixed a previous vulnerability that allowed the passcode lock to be bypassed. In the past, iOS 4.1 and 2.0.2 had also struggled with vulnerabilities that gave relatively easy access to the telephone app.