{"id":16397,"date":"2015-10-23T00:00:00","date_gmt":"2015-10-22T22:00:00","guid":{"rendered":"https:\/\/www.soundpr.it\/post_news\/siri-porta-daccesso-per-gli-hacker-sophos-spiega-come-contrastare-il-bug-che-spaventa-gli-utenti-apple\/"},"modified":"2015-10-23T00:00:00","modified_gmt":"2015-10-22T22:00:00","slug":"siri-porta-daccesso-per-gli-hacker-sophos-spiega-come-contrastare-il-bug-che-spaventa-gli-utenti-apple","status":"publish","type":"news","link":"https:\/\/www.soundpr.it\/en\/news\/siri-porta-daccesso-per-gli-hacker-sophos-spiega-come-contrastare-il-bug-che-spaventa-gli-utenti-apple\/","title":{"rendered":"Siri way of access for hackers, Sophos explains how to oppose to the bug that is scaring Apple users"},"content":{"rendered":"

Watch out, iDevice owners!<\/p>\n

Siri has opened the pod bay door<\/a> to let snoopers\u00a0in.<\/p>\n

Barely a week after the release of iOS 9<\/a>, a hacker has found a way for\u00a0snoops to access your contacts and photos and send messages without your passcode.<\/p>\n

The bug affects iOS 9 and iOS 9.0.1 on iPhones, iPads and iPods.<\/p>\n

The security flaw allows a malcontent with physical access to your\u00a0iDevice to use Siri to bypass\u00a0Apple’s Lock screen\u00a0\u2013\u00a0even if you have set up Touch ID with your fingerprint.<\/p>\n

\u2192 Touch ID doesn’t help here. When you set up Touch ID, iOS requires you to have a passcode too, and you can always tell the Touch ID login process that you want skip trying your fingerprint and use your passcode instead. From that point, you can use this hack.<\/p>\n

We’re not going to explain exactly\u00a0how you can get around the lock screen,\u00a0because Apple hasn’t fixed the bug yet\u00a0\u2013 we’re sure you can see\u00a0it demonstrated elsewhere if you really need to know.<\/p>\n

In general terms, the bug allows you\u00a0to bypass the lock screen by entering an incorrect passcode several times and then asking Siri to open\u00a0the clock app.<\/p>\n

Popping up the clock app at the lock screen sounds like a low-risk feature, not least because the lock screen displays the time and date anyway.<\/p>\n

But from the clock, a snoop can use some trickery to access iMessage, and that opens the door to contacts\u00a0and photos.<\/p>\n

An intrepid member of our Naked Security team tried this Siri-enabled hack, and managed to get it to work on an iPhone 6 running iOS 9.0.1. (He tried with both a 6-digit numeric and an 8-character alphanumeric code.)<\/p>\n

What are the risks?<\/p>\n

One of the more worrying consequences, aside from the fact that hackers can access all your selfies, screenshots, family photos and so on, is that a crook can get into iMessage and send text messages in your name to your contacts.<\/p>\n

We can imagine a bunch of ways this could be dangerous, from “mugged abroad<\/a>” scams that could cost you $800, all the way to the sort of password phishing and social engineering that recently cost a Bitcoin exchange called BitPay $1.8 million<\/a>.<\/p>\n

When I contacted the\u00a0bug finder Jose Rodriguez on Twitter, he told me that he posted his video demonstrating the hack because he was “upset with Apple product security.”<\/p>\n

Rodriguez messaged me screenshots of emails he sent to Apple product security (and one to Apple CEO Tim Cook) about the bug\u00a0\u2013 he\u00a0told me he alerted Apple\u00a0two days before iOS 9 came out on 16 September.<\/p>\n

Yet Rodriguez posted his video to YouTube on 19 September\u00a0\u2013 five days\u00a0after telling Apple about the security hole\u00a0\u2013 which wasn’t much time at all for Apple to fix the bug.<\/p>\n

Regardless, this “zero-day” lock screen hack is now widely known.<\/p>\n

Why the flaw?<\/p>\n

Beyond the questions this raises about\u00a0responsible disclosure<\/a> of vulnerabilities, we should ask\u00a0why this serious security flaw exists in the first place.<\/p>\n

Part of the problem is having Siri<\/a> accessible from the lock screen\u00a0\u2013 indeed, we’ve seen\u00a0quite a few\u00a0security holes\u00a0in earlier versions of iOS where\u00a0Siri\u00a0gave up\u00a0access to the device\u00a0without the passcode<\/a>.<\/p>\n

This iOS 9 lock screen bug isn’t quite as bad as the recently fixed lock screen bypass in Android Lollipop<\/a>, which could give a hacker access to everything on your device.<\/p>\n

But the two bugs are similar: on iOS 9, accessing Siri from the lockscreen opens the door; on Android 5.x, the camera app on the lockscreen is the problem.<\/p>\n

As my colleague Paul Ducklin<\/a> observed, having a lock screen really ought to mean that your device is locked<\/i>, not sitting there with the front door closed but the cat flap open.<\/p>\n

What to do?<\/p>\n

Our\u00a0advice: reduce your attack surface right away.<\/p>\n

Apple and Google don’t want to let you turn off the camera on your lock screen, so you’re stuck with a “cat flap” for the camera on both platforms, but we strongly recommend that iDevice owners at least turn off Siri on the lock screen.<\/p>\n

How to disable Siri on the lock screen<\/p>\n

Go to Settings <\/tt>| Touch ID & Passcode<\/tt>, and under Allow Access When Locked<\/tt>, toggle Siri <\/tt>off:<\/p>\n

\"\"<\/p>\n

Some other settings you may want to consider while you’re about it, as configured in the screenshot above (yes, that’s a Naked Security iPhone):<\/p>\n