Back to list
Apple iOS 9.3.1 (iPhone 6S & iPhone Plus) - (3D Touch) Passcode Bypass Vulnerability
Apr 05 2016 11:24AM
Vulnerability Lab (research vulnerability-lab com)
Apple iOS 9.3.1 (iPhone 6S & iPhone Plus) - (3D Touch) Passcode Bypass
Vulnerability Laboratory ID (VL-ID):
Common Vulnerability Scoring System:
Product & Service Introduction:
iOS (previously iPhone OS) is a mobile operating system developed and
distributed by Apple Inc. Originally released in 2007 for the
iPhone and iPod Touch, it has been extended to support other Apple
devices such as the iPad and Apple TV. Unlike Microsoft`s Windows
Phone (Windows CE) and Google`s Android, Apple does not license iOS for
installation on non-Apple hardware. As of September 12, 2012,
Apple`s App Store contained more than 700,000 iOS applications, which
have collectively been downloaded more than 30 billion times.
It had a 14.9% share of the smartphone mobile operating system units
shipped in the third quarter of 2012, behind only Google`s Android.
In June 2012, it accounted for 65% of mobile web data consumption
(including use on both the iPod Touch and the iPad). At the half of
2012, there were 410 million devices activated. According to the special
media event held by Apple on September 12, 2012, 400 million
devices have beensold through June 2012.
( Copy of the Homepage: http://en.wikipedia.org/wiki/IOS )
Apple Inc. is an American multinational technology company headquartered
in Cupertino, California, that designs, develops, and sells
consumer electronics, computer software, and online services. Its
hardware products include the iPhone smartphone, the iPad tablet
computer, the Mac personal computer, the iPod portable media player, and
the Apple Watch smartwatch. Applegovernment-labs consumer software includes
the OS X and iOS operating systems, the iTunes media player, the Safari
web browser, and the iLife and iWork creativity and productivity
suites. Its online services include the iTunes Store, the iOS App Store
and Mac App Store, and iCloud.
(Copy of the Homepage: https://en.wikipedia.org/wiki/Apple_Inc. )
Abstract Advisory Information:
The vulnerability laboratory core research team discovered a local
passcode bypass vulnerability in the official Apple iOS 9.3.1 iPhone 6S
& Plus models.
Vulnerability Disclosure Timeline:
2016-03-17: Public Disclosure (Evolution Security GmbH - Benjamin Kunz
2016-03-18: Vendor Notification (Apple Product Security Team)
2015-**-**: Vendor Response/Feedback (Apple Product Security Team)
2016-**-**: Vendor Fix/Patch (Apple iOS Mobile Developer Team)
2016-04-05: Public Disclosure (Vulnerability Laboratory)
Product: iOS 9.3.1 - Models (iPhone 6S & iPhone Plus) (3D Touch Only!)
Technical Details & Description:
A passcode bypass vulnerability has been discovered in the official
Apple iOS v9.3.1 for iPhone 6S & iPhone Plus models.
The vulnerability allows local attackers to bypass the physical device
protection mechanism of the iphone 6s and plus models.
The 3d touch sendor with the apple display hardware allows to open the
basic context menu and new options by low and intensiv
push interaction. For example by pushing in the default mail app the
messages another context menu for interaction becomes available.
The new functions are only available for the apple products like iphone
6S and the iPhone Plus that do support the new hardware.
The bug is located in the inner app @ link GET method requests of an
installed application. Remote attacker can use siri to request an
available runtime app of the task. The interaction is allowed without
passcode. After that the attacker surfs over the for example facebook,
twitter or yahoo app and search for `@[TAGS]`. The attacker clicks the
add tag and holds the button. The new 3d touch sensor of the apple
iphone 6s and plus models allows new interactions by processing to push
hard the basic context menu becomes visible to the attacker. In the
available context menu it is possible to choose to add another new
contact. Basically the function is not allowed without passcode auth.
Now the attacker click in the new contact the picture / avatar button.
Now the screen of the image galler becomes available as library.
In the next steps the local attacker with physical device access can
request the contacts by usage of an email that is connected to an
already existing contact in the list. The issue remember to a bug that
was in the early 7.x release of iOS with the calender. In the
calender was a yahoo link to the finance stream that allowed us to
bypass the display protection of sim locked ios phones.
The security risk of the passcode bypass vulnerability is estimated as
high with a cvss (common vulnerability scoring system) count of 6.1.
Exploitation of the passcode protection mechanism bypass vulnerability
requires a low privileged ios device user account and no user interaction.
Physical apple device access is required for successful exploitation.
Successful exploitation of the vulnerability results in unauthorized
device access, mobile apple device compromise and leak of sensitive
device data like the address-book, photos, sms, mms, emails, phone app,
mailbox, phone settings or access to other default/installed mobile apps.
[+] PassCode (Protection Mechanism)
[+] iPhone (Models: 6S)
[+] iPhone (Models: 6 Plus)
Affected OS Version(s):
[+] v9.2.1 & v9.3.1
Proof of Concept (PoC):
The local passcode vulnerability can be exploited by local attackers
with low privileged device user account and without user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Start the iPhone 6S or iPhone 6 Plus
2. Install for example the default yahoo, twitter or facebook
application of the appstore
3. Start the application to the runtime task
4. Set a new passcode via Settings
5. Lock the mobile via power (shutdown) button
6. Open siri by pushing two seconds the home button or use the "hello
7. Ask siri to search via twitter, yahoo or facebook as slide preview
8. Surf through the feed since a @tag becomes visible or use the search
in the preview
9. Push the @tag button - intensive push (6S or Plus)
10. Now the basic context menu becomes visible with new options
11. Choose to add a new contact
12. Open yet the pictures for adding to profile
13. Now, the attacker got already successful access to the photo album
of the apple device without secure auth
14. Click to send a message and the mailbox will open without secure auth
14. Successful reproduce of the vulnerability
Note: the same is also possible by adding an email to the already
existing contact to access the addressbook of the apple device.
Solution - Fix & Patch:
The vulnerability can be temporarily patched by the end user via
hardening of the device settings. Deactivate in the Settings menu the
Siri module permanently.
Deactivate in the next step the public control panel without passcode.
Disallow siri to access picture information or the addressbook by usage
of the privacy settings.
Note: The version 9.3.1 is still vulnerable after the last update
2016-04-04. The bug was discovered during the analysis of an error
issue with the 3D Touch module in the esec labs in germany. The bug was
reported by mail to the apple product security team 2016-03-18.
In the advisory VL ID 1778
(http://www.vulnerability-lab.com/get_content.php?id=1778) we do explain
provide another temp fix.
As far as this solution is already implemented, the exploitation can't
take place against your iOS Plus or 6S touch device.
The security risk of the local passcode bypass vulnerability in the
iphone 6s and plus models are estimated as high. (CVSS 6.1)
Credits & Authors:
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri
(research (at) vulnerability-lab (dot) com [email concealed])
Disclaimer & Information:
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties, either
expressed or implied,
including the warranties of merchantability and capability for a
particular purpose. Vulnerability-Lab or its suppliers are not liable in
any case of damage,
including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers
have been advised
of the possibility of such damages. Some states do not allow the
exclusion or limitation of liability for consequential or incidental
damages so the foregoing
limitation may not apply. We do not approve or encourage anybody to
break any licenses, policies, deface websites, hack into databases or
trade with stolen data.
Domains: www.vulnerability-lab.com - www.vuln-lab.com
Contact: admin (at) vulnerability-lab (dot) com [email concealed] -
research (at) vulnerability-lab (dot) com [email concealed] - admin (at) evolution-sec (dot) com [email concealed]
Section: magazine.vulnerability-lab.com -
Social: twitter.com/vuln_lab -
Feeds: vulnerability-lab.com/rss/rss.php -
Programs: vulnerability-lab.com/submit.php -
Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory. Permission to
redistribute this alert in its unmodified form is granted. All other
rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or
its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team
& the specific
authors or managers. To record, list, modify, use or edit our material
contact (admin@ or research (at) vulnerability-lab (dot) com [email concealed]) to get a ask permission.
Copyright Â© 2016 | Vulnerability Laboratory -
[Evolution Security GmbH]â?¢
VULNERABILITY LABORATORY - RESEARCH TEAM
CONTACT: research (at) vulnerability-lab (dot) com [email concealed]
[ reply ]
Copyright 2010, SecurityFocus