Apple iOS 9.3.1 Passcode Bypass

`Document Title:  
===============  
Apple iOS 9.3.1 (iPhone 6S & iPhone Plus) - (3D Touch) Passcode Bypass  
Vulnerability  
  
  
References (Source):  
====================  
http://www.vulnerability-lab.com/get_content.php?id=1814  
  
  
Release Date:  
=============  
2016-04-05  
  
  
Vulnerability Laboratory ID (VL-ID):  
====================================  
1814  
  
  
Common Vulnerability Scoring System:  
====================================  
6.1  
  
  
Product & Service Introduction:  
===============================  
iOS (previously iPhone OS) is a mobile operating system developed and  
distributed by Apple Inc. Originally released in 2007 for the  
iPhone and iPod Touch, it has been extended to support other Apple  
devices such as the iPad and Apple TV. Unlike Microsoft`s Windows  
Phone (Windows CE) and Google`s Android, Apple does not license iOS for  
installation on non-Apple hardware. As of September 12, 2012,  
Apple`s App Store contained more than 700,000 iOS applications, which  
have collectively been downloaded more than 30 billion times.  
It had a 14.9% share of the smartphone mobile operating system units  
shipped in the third quarter of 2012, behind only Google`s Android.  
  
In June 2012, it accounted for 65% of mobile web data consumption  
(including use on both the iPod Touch and the iPad). At the half of  
2012, there were 410 million devices activated. According to the special  
media event held by Apple on September 12, 2012, 400 million  
devices have beensold through June 2012.  
  
( Copy of the Homepage: http://en.wikipedia.org/wiki/IOS )  
  
  
Apple Inc. is an American multinational technology company headquartered  
in Cupertino, California, that designs, develops, and sells  
consumer electronics, computer software, and online services. Its  
hardware products include the iPhone smartphone, the iPad tablet  
computer, the Mac personal computer, the iPod portable media player, and  
the Apple Watch smartwatch. Applegovernment-labs consumer software includes  
the OS X and iOS operating systems, the iTunes media player, the Safari  
web browser, and the iLife and iWork creativity and productivity  
suites. Its online services include the iTunes Store, the iOS App Store  
and Mac App Store, and iCloud.  
  
(Copy of the Homepage: https://en.wikipedia.org/wiki/Apple_Inc. )  
  
  
Abstract Advisory Information:  
==============================  
The vulnerability laboratory core research team discovered a local  
passcode bypass vulnerability in the official Apple iOS 9.3.1 iPhone 6S  
& Plus models.  
  
  
Vulnerability Disclosure Timeline:  
==================================  
2016-03-17: Public Disclosure (Evolution Security GmbH - Benjamin Kunz  
Mejri)  
2016-03-18: Vendor Notification (Apple Product Security Team)  
2015-**-**: Vendor Response/Feedback (Apple Product Security Team)  
2016-**-**: Vendor Fix/Patch (Apple iOS Mobile Developer Team)  
2016-04-05: Public Disclosure (Vulnerability Laboratory)  
  
  
Discovery Status:  
=================  
Published  
  
  
Affected Product(s):  
====================  
Apple  
Product: iOS 9.3.1 - Models (iPhone 6S & iPhone Plus) (3D Touch Only!)  
  
  
Exploitation Technique:  
=======================  
Local  
  
  
Severity Level:  
===============  
High  
  
  
Technical Details & Description:  
================================  
A passcode bypass vulnerability has been discovered in the official  
Apple iOS v9.3.1 for iPhone 6S & iPhone Plus models.  
The vulnerability allows local attackers to bypass the physical device  
protection mechanism of the iphone 6s and plus models.  
  
The 3d touch sendor with the apple display hardware allows to open the  
basic context menu and new options by low and intensiv  
push interaction. For example by pushing in the default mail app the  
messages another context menu for interaction becomes available.  
The new functions are only available for the apple products like iphone  
6S and the iPhone Plus that do support the new hardware.  
  
The bug is located in the inner app @ link GET method requests of an  
installed application. Remote attacker can use siri to request an  
available runtime app of the task. The interaction is allowed without  
passcode. After that the attacker surfs over the for example facebook,  
twitter or yahoo app and search for `@[TAGS]`. The attacker clicks the  
add tag and holds the button. The new 3d touch sensor of the apple  
iphone 6s and plus models allows new interactions by processing to push  
hard the basic context menu becomes visible to the attacker. In the  
available context menu it is possible to choose to add another new  
contact. Basically the function is not allowed without passcode auth.  
Now the attacker click in the new contact the picture / avatar button.  
Now the screen of the image galler becomes available as library.  
In the next steps the local attacker with physical device access can  
request the contacts by usage of an email that is connected to an  
already existing contact in the list. The issue remember to a bug that  
was in the early 7.x release of iOS with the calender. In the  
calender was a yahoo link to the finance stream that allowed us to  
bypass the display protection of sim locked ios phones.  
  
The security risk of the passcode bypass vulnerability is estimated as  
high with a cvss (common vulnerability scoring system) count of 6.1.  
Exploitation of the passcode protection mechanism bypass vulnerability  
requires a low privileged ios device user account and no user interaction.  
Physical apple device access is required for successful exploitation.  
Successful exploitation of the vulnerability results in unauthorized  
device access, mobile apple device compromise and leak of sensitive  
device data like the address-book, photos, sms, mms, emails, phone app,  
mailbox, phone settings or access to other default/installed mobile apps.  
  
  
Vulnerable Module(s):  
[+] PassCode (Protection Mechanism)  
  
  
Affected Device(s):  
[+] iPhone (Models: 6S)  
[+] iPhone (Models: 6 Plus)  
  
Affected OS Version(s):  
[+] v9.2.1 & v9.3.1  
  
  
Proof of Concept (PoC):  
=======================  
The local passcode vulnerability can be exploited by local attackers  
with low privileged device user account and without user interaction.  
For security demonstration or to reproduce the vulnerability follow the  
provided information and steps below to continue.  
  
Manual steps to reproduce the vulnerability ...  
1. Start the iPhone 6S or iPhone 6 Plus  
2. Install for example the default yahoo, twitter or facebook  
application of the appstore  
3. Start the application to the runtime task  
4. Set a new passcode via Settings  
5. Lock the mobile via power (shutdown) button  
6. Open siri by pushing two seconds the home button or use the "hello  
siri" option  
7. Ask siri to search via twitter, yahoo or facebook as slide preview  
8. Surf through the feed since a @tag becomes visible or use the search  
in the preview  
9. Push the @tag button - intensive push (6S or Plus)  
10. Now the basic context menu becomes visible with new options  
11. Choose to add a new contact  
12. Open yet the pictures for adding to profile  
13. Now, the attacker got already successful access to the photo album  
of the apple device without secure auth  
14. Click to send a message and the mailbox will open without secure auth  
14. Successful reproduce of the vulnerability  
  
Note: the same is also possible by adding an email to the already  
existing contact to access the addressbook of the apple device.  
  
  
Solution - Fix & Patch:  
=======================  
The vulnerability can be temporarily patched by the end user via  
hardening of the device settings. Deactivate in the Settings menu the  
Siri module permanently.  
Deactivate in the next step the public control panel without passcode.  
Disallow siri to access picture information or the addressbook by usage  
of the privacy settings.  
  
Note: The version 9.3.1 is still vulnerable after the last update  
2016-04-04. The bug was discovered during the analysis of an error  
issue with the 3D Touch module in the esec labs in germany. The bug was  
reported by mail to the apple product security team 2016-03-18.  
  
In the advisory VL ID 1778  
(http://www.vulnerability-lab.com/get_content.php?id=1778) we do explain  
provide another temp fix.  
As far as this solution is already implemented, the exploitation can't  
take place against your iOS Plus or 6S touch device.  
  
  
Security Risk:  
==============  
The security risk of the local passcode bypass vulnerability in the  
iphone 6s and plus models are estimated as high. (CVSS 6.1)  
  
  
Credits & Authors:  
==================  
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri  
([email protected])  
[http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.]  
  
  
Disclaimer & Information:  
=========================  
The information provided in this advisory is provided as it is without  
any warranty. Vulnerability Lab disclaims all warranties, either  
expressed or implied,  
including the warranties of merchantability and capability for a  
particular purpose. Vulnerability-Lab or its suppliers are not liable in  
any case of damage,  
including direct, indirect, incidental, consequential loss of business  
profits or special damages, even if Vulnerability-Lab or its suppliers  
have been advised  
of the possibility of such damages. Some states do not allow the  
exclusion or limitation of liability for consequential or incidental  
damages so the foregoing  
limitation may not apply. We do not approve or encourage anybody to  
break any licenses, policies, deface websites, hack into databases or  
trade with stolen data.  
  
Domains: www.vulnerability-lab.com - www.vuln-lab.com   
- www.evolution-sec.com  
Contact: [email protected] -  
[email protected] - [email protected]  
Section: magazine.vulnerability-lab.com -  
vulnerability-lab.com/contact.php -  
evolution-sec.com/contact  
Social: twitter.com/vuln_lab -  
facebook.com/VulnerabilityLab -  
youtube.com/user/vulnerability0lab  
Feeds: vulnerability-lab.com/rss/rss.php -  
vulnerability-lab.com/rss/rss_upcoming.php -  
vulnerability-lab.com/rss/rss_news.php  
Programs: vulnerability-lab.com/submit.php -  
vulnerability-lab.com/list-of-bug-bounty-programs.php -  
vulnerability-lab.com/register.php  
  
Any modified copy or reproduction, including partially usages, of this  
file requires authorization from Vulnerability Laboratory. Permission to  
electronically  
redistribute this alert in its unmodified form is granted. All other  
rights, including the use of other media, are reserved by  
Vulnerability-Lab Research Team or  
its suppliers. All pictures, texts, advisories, source code, videos and  
other information on this website is trademark of vulnerability-lab team  
& the specific  
authors or managers. To record, list, modify, use or edit our material  
contact (admin@ or [email protected]) to get a ask permission.  
  
Copyright © 2016 | Vulnerability Laboratory -  
[Evolution Security GmbH]™  
  
--   
VULNERABILITY LABORATORY - RESEARCH TEAM  
SERVICE: www.vulnerability-lab.com  
CONTACT: [email protected]  
  
`