Apple iOS 10.3 - UI SMS Access Permission Vulnerability

2017-08-14T00:00:00
ID VULNERLAB:2078
Type vulnerlab
Reporter Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.)
Modified 2017-08-14T00:00:00

Description

An access permission vulnerability has been discovered in the official Apple iOS 10.2 & v10.3. The issue allows a local attacker to bypass the code lock function to "Answer with Message / Reply with message" and limited the idevice authentication mechanism. The SMS response menu appears on the screen when it has been deactivated physically by the apple idevice user.

Next to that, the issue leads to a glitch with an access permission issue to the sms function of the phone app in apple iOS 10. After exploitation, the phone stays permanently in a compromised mode were an attacker can send a sms without the activated setting in the code lock module. Phone calls stay in the line even if the other side already canceled the call.

In a video the researcher we deactivated the settings for sms on active incoming calls. Then we glitched the service with the request. However the sms menu was still available on the display screen and allows the attacker to perform several interactions like using the words to get contacts of the users like names and to unauthenticated followup with sms on active incoming calls. The events are tracked by the apple ios with several reports and unknown errors in the analysis module.

The security risk of the access permission vulnerability is estimated as medium with a common vulnerability scoring system count of 4.5. Exploitation of the apple ios access permission vulnerability requires limited physical idevice access and without user interaction. Successful exploitation of the vulnerability results in unauthorized functional access to the sms function or keyboard settings.