iOS 15: Disgruntled researcher exposes iPhone lockscreen bypass

News
By
published

New iPhone lockscreen bypass abuses Siri functionality to access Notes content

iPhone 13
(Image credit: Apple)

A security researcher has published details of a new lockscreen bypass technique that can be used to access iPhone content without supplying a passcode or other form of authentication.

The technique abuses quirks in Apple’s Siri and VoiceOver services and could allow an attacker to retrieve information stored in the iPhone Notes app, in which users have been known to store account credentials and other sensitive information.

In a tweet published last week, researcher Jose Rodriguez explained the vulnerability is present in iOS 14.8 and the pre-launch iOS 15 release candidate. He has since also confirmed that the public iOS 15 build, which arrived yesterday, suffers from the same problem.

Apple bug bounty controversy

According to Rodriguez, the decision to disclose the iPhone bug on iOS 15 launch day was a very deliberate one, made in protest of the standard of the Apple bug bounty program.

This is the second time Rodriguez has discovered an iPhone vulnerability of this sort. In a previous instance, he reported the issue directly to Apple, but was unimpressed by the way in which the company handled his disclosure and the compensation he received.

“Apple values reports of issues like this up to $25,000,” he wrote, in reference to the latest vulnerability. “But for reporting a more serious issue I was awarded with $5,000.”

In a later tweet, he explained he had decided to disclose the new vulnerability publicly “in hopes Apple realizes it is being tightwad rewarding security bug reports, and reconsider the bounties (sic)”. 

This is not the first time in recent weeks the company’s bug bounty program has come under fire. Earlier this month, reports emerged of a massive backlog of unfixed bugs and general frustration among security professionals who have engaged with Apple.

TechRadar Pro has asked Apple for comment on the criticisms of its program, but the company is yet to respond.

Via TheRecord

TOPICS
Joel Khalili
Joel Khalili
News and Features Editor

Joel Khalili is the News and Features Editor at TechRadar Pro, covering cybersecurity, data privacy, cloud, AI, blockchain, internet infrastructure, 5G, data storage and computing. He's responsible for curating our news content, as well as commissioning and producing features on the technologies that are transforming the way the world does business.