[Editor’s Note: With last week’s release of iOS 8, we enter a new era of security fixes and issues for Apple’s flagship mobile operating system. But, even this latest version faces an issue that comes up regularly with iOS and other mobile operating systems: Lock Screen Bypass. In fact, there are dozens of different ways to bypass the Lock Screen on a device, each applicable to different versions and subversions of iOS. Thankfully, Raul Siles has inventoried a whole bunch of them in this article, providing a useful reference for penetration testers who need to show the risks associated with a given iOS feature or version number. Raul also offers tips for hardening iPhones and iPads against these kinds of attacks. Nifty stuff! –Ed.]
By Raul Siles
The iOS mobile platform has been subject to numerous lock screen bypass vulnerabilities across multiple versions. Although Apple strives to fix these vulnerabilities in various updates to iOS (http://support.apple.com/kb/ht1222), it is important for information security professionals and pen testers to pay close attention to the current unfixed lock screen bypass scene at any given time, evaluate its risks, and promote enforcing physical security and tight access controls on iOS devices.
Shameless plug: If you are interested in this kind of information and want to learn more, Raul will be teaching the 6-day SANS SEC575: Mobile Device Security and Ethical Hacking course in London, UK (Nov 17-22, 2014), Amsterdam, The Netherlands (May 11-16, 2015), and (again in the Summer) London, UK (Jul 13-18, 2015).
Many pen testers tend to focus more on traffic or network activity analysis and attacks, Mobile Device Management (MDM) and back-end systems auditing, jailbreaking or rooting opportunities, or in-depth mobile applications analysis, leaving unattended scenarios with physical access to a target device, or the stolen or loss device threat. However, real incidents constantly confirm unattended or stolen devices with a lockscreen bypass vulnerability are a serious threat that should be included, or at least evaluated, when scoping a mobile pen testing exercise.
Throughout the years, I’ve been researching, testing, and collecting a list of all these iOS lock screen bypass vulnerabilities for pen testing engagements, presentations, and training sessions. Some of them are related to other hardware components, such as the SmartCover or the SIM card, while others are purely driven by new software features and capabilities, such as Siri or the new Control Center in iOS 7. Some issues impact only iPads or just iPhones, while others affect them all. History ratifies it is hard for Apple to fully mitigate this threat, as the attack surface is significantly wide, and it even increases with newer versions of the iOS platform.
The following list summarizes the history of all the lock screen bypass vulnerabilities that iOS has suffered from iOS 5 to the recent iOS 8. It also includes links to demos and/or videos associated with each vulnerability. The vulnerabilities have been classified based on the iOS version that provides the appropriate fix. Therefore, iOS versions earlier than the one providing the fix are potentially effected by each vulnerability.
The official number of screen lock bypass related vulnerabilities addressed in each major iOS version are:
- iOS 5.x: 4 vulnerabilities.
- iOS 6.x: 8 vulnerabilities.
- iOS 7.x: 12 vulnerabilities.
- iOS 8.0: 4 vulnerabilities (so far!!!).
iOS Lock Screen Bypass Vulnerability History:
The following list has been sorted by iOS version, starting first with a list of generic lock screen bypasses with no officially recognized CVE associated to them (only for this generic section, entries are sorted by date and the iOS version specified refers to the vulnerable iOS version):
- Generic, not officially recognized by Apple, or still unfixed lock screen bypasses:-Digital picture frame (iOS 5, iPad, Oct 2011): Access to all photos from the lock screen; could be disabled via Settings. The digital picture frame is not available anymore since iOS 7. Ref:http://www.groovypost.com/howto/apple-ios-5-security-lock-down-private-photos-picture-frame/
– Phone & Contacts access due to a race condition in SIM card insertion (iOS 5.0.1, iPhone, Feb 2012). Ref: http://www.cultofmac.com/147700/ios-5-security-flaw-allows-access-to-contacts-list-recent-calls-text-messages-without-passcode/ Video: http://www.youtube.com/watch?v=Vhy9_bYVIwk (5.0) Video: http://www.youtube.com/watch?v=eFfDR1T6mMg (5.0.1) Video: http://www.youtube.com/watch?v=IZqY1VaMr_A
-Quick camera access (iOS 5.1, iPhone 4S, Mar 2012): Allows taking pictures; camera icon also available in iOS 5 by double-pressing the Home button. This vulnerability still applies today to iOS 7 and can only be mitigated by restricting access to the camera via Settings. Ref: http://www.cnet.com/how-to/access-the-iphone-camera-from-the-lock-screen-even-quicker-on-ios-5-1/
-Emergency dialer screen (iOS 5.1.1, Jul 2012). Video: http://www.youtube.com/watch?v=12OoO9IdBH4
-Access to photos via Control Center – Calculator (iOS 7 beta 1, Jun 2013). Video: http://www.youtube.com/watch?v=tTewm0V_5ts
-Brute force attacks against incorrect passcode restrictions in Settings (iOS 6, iPad, Jun 2013). Ref: http://www.journaldulapin.com/2013/06/04/brute-force-attack-against-restrictions-code-is-possible-on-ios/ Video: http://www.youtube.com/watch?v=C6md792nMhY
-Apple Touch ID bypass (iOS 7, iPhone 5S, Sep 2013). Ref: http://ccc.de/en/updates/2013/ccc-breaks-apple-touchid Video: http://vimeo.com/75324765
-Make calls via Voice Control (iOS 7, Apr 2014): Siri has to be disabled. Video: http://www.youtube.com/watch?v=0CNh_j46byA
-Bypass time delay for incorrect passcode attempts via iTunes Sync (iOS 7.0-7.1.2, Jun 2014). Video: http://www.youtube.com/watch?v=_rT7o_IXehk
-Airplane mode via Control Center and missed call in Notification Center (iOS 7.1.1/7.1.2, Aug 2014): Access to last open app. Ref: http://phonerebel.com/how-to-bypass-ios-7-lockscreen/ Video: http://www.youtube.com/watch?v=Hg9Vy7XzGZY
Although the official security content for iOS 8 does not mention a specific fix for this issue, in iOS 8 the vulnerability cannot be exploited. When the missed called notification is selected in airplane mode, it is removed from the Notification Center and the following message is displayed in the lock screen:
-Passcode “Merge App Service” bypass & Siri (iOS 7.1.2, Sep 2014). Video: https://www.youtube.com/watch?v=9gBtJ5tyRgI
-(“Voice hacking”) Several information leakages via Siri (iOS 7 & iOS 8, Sep 2014): Post to Facebook, get contact details, see call history last 25), listen recent messages, and get full access to notes; can be avoided disabling Siri via Settings. Videos: https://www.youtube.com/user/videosdebarraquito/videos Video: http://www.youtube.com/watch?v=NTA8k4tyY78
- iOS 5.0 (Oct 2011): http://support.apple.com/kb/HT4999
-Home Screen switching between apps (CVE-2011-3431)
- iOS 5.1 (Mar 2012): http://support.apple.com/kb/HT5192
-Race condition in gestures to bypass lock screen (CVE-2012-0644)-Siri in lock screen allows e-mail access (CVE-2012-0645)
- iOS 5.1.1 (May 2012): http://support.apple.com/kb/HT5278
- iOS 6 (Sep 2012): http://support.apple.com/kb/HT5503
-Access to last used app (CVE-2012-3735)-Screen lock bypass via termination of FaceTime calls (CVE-2012-3736)
-Access to photos by spoofing the current time (CVE-2012-3737): Since iOS 5 (iPhone, Dec 2011), photos & videos access from lock screen due to incorrect time setting. Ref: http://peekay.org/2011/12/31/incorrect-time-setting-could-leak-ios-5-album-pictures/
-Perform FaceTime calls and Contacts disclosure (CVE-2012-3738): Since iOS 5.0.1 (iPhone, Feb 2012), Voice Control from the emergency dialer screen allows access to Contacts (enumeration) and make FaceTime calls. Ref: http://peekay.org/2012/02/05/more-fun-with-locked-iphone-4/
-Screen lock bypass via camera (CVE-2012-3739)
-Screen lock bypass (CVE-2012-3740)
- iOS 6.0.1 (Nov 2012): http://support.apple.com/kb/HT5567
-Passbook passes access (CVE-2012-3750). Ref: http://www.amsys.co.uk/2012/blog/passbook-a-security-flaw/
- iOS 6.1 (Jan 2013): http://support.apple.com/kb/HT5642
- iOS 6.1.3 (Mar 2013): http://support.apple.com/kb/HT5704
-Emergency calls (CVE-2013-0980). Ref: http://www.zdnet.com/iphone-ipad-lock-screen-bypass-fixed-but-34-days-too-late-7000012829/ Video: http://www.youtube.com/watch?v=sVV9S17mZpw Video: http://www.youtube.com/watch?v=MDkLpj3MM-c & iTunes Sync: Ref: http://www.vulnerability-lab.com/get_content.php?id=875 Video: http://www.youtube.com/watch?v=oKOj0GMf810
- iOS 6.1.6 (Feb 2014): http://support.apple.com/kb/HT6146
– Recently used apps & photos (CVE-2013-5161). Video: http://www.youtube.com/watch?v=tTewm0V_5ts
- iOS 7.0.3 (Oct 2013): http://support.apple.com/kb/HT6010
-Bypass time delay for incorrect passcode attempts (CVE-2013-5162)_Access & Call arbitrary contacts via Siri and Facetime (CVE-2013-5164). Video: http://www.youtube.com/watch?v=fVpfdYYy1Dg Video: http://www.youtube.com/watch?v=AUlhgsgRaXw
- iOS 7.0.4 (Nov 2013): http://support.apple.com/kb/HT6058
- iOS 7.0.6 (Feb 2014): http://support.apple.com/kb/HT6147
- iOS 7.1 (Mar 2014): http://support.apple.com/kb/HT6162
-FaceTime contacts (CVE-2014-1274). Video: http://www.youtube.com/watch?v=xYuO9k0_WBA
-Springboard during activation (CVE-2014-1285). Video: http://www.youtube.com/watch?v=FEC_s800A5A
-SpringBoard Lock Screen DoS (CVE-2014-1286)-Disable ‘Find My iPhone’ w/o iCloud credentials (CVE-2014-2019). Video: https://www.youtube.com/watch?v=QnPk4RRWjic
- iOS 7.1.1 (Apr 2014): http://support.apple.com/kb/HT6208
- iOS 8.0 (Sep 2014): http://support.apple.com/kb/HT6441
-AssistiveTouch (CVE-2014-4368)-Determine which app is frontmost (CVE-2014-4361)
-Home screen during activation lock (CVE-2014-1360)
-Text message previews (CVE-2014-4356)
NOTE: Since all of these vulnerabilities have not been officially acknowledged by Apple, it is sometimes complex to identify duplicates or missing ones. If you identify any discrepancy, inaccuracies, or additional references or videos, please let me know.
Protecting iOS Devices Against Lock Screen Bypass Vulnerabilities:
This extensive list of iOS lock screen bypass vulnerabilities can be exploited by anyone that gets physical access to a target device, even temporarily. It is therefore crucial for both security professionals and pen testers, as part of their recommendations within pen test reports, to provide countermeasures that mitigate the associated risks. In fact, unless an organization is impeccable in their patching and update process, you are pretty much guaranteed to find an older version of iOS on some of their devices that could lead to a significant finding. And, if the organization employs a Bring Your Own Device (BYOD) policy, again you are ensured of a proliferation of older versions ripe for attack. If you can gather information about the use of such devices, you’ll have a nice finding for your report.
In order to minimize the impact of lock screen bypass vulnerabilities in iOS devices, it is highly recommended to always update the mobile device to the latest iOS version available, which supposedly fixes all the publicly known vulnerabilities, and manually (or though an MDM solution) verify that you really are in the latest and expected iOS version (http://blog.dinosec.com/2014/06/ios-back-to-future.html).
Besides that, in iOS some of the (current and future) lock screen bypass vulnerabilities can be mitigated by limiting the functionality available in the lock screen. The following list (that applies to the current iOS 8 version, with additional clarifications for iOS 7) summarizes various recommended configuration options currently available to protect the lock screen on iOS devices. Of course, turning off these functions can improve security by lowering the attack surface, but also may anger users who aren’t able to utilize the latest gee-whiz features of their devices. Evaluate each of these actions before applying them, as there is always a security versus usability trade off associated to disabling the functionality and features available in the lock screen without requiring the user to enter a passcode. For organizations requiring a high degree of security, though, these hardened configurations should at least be considered:
- Disable Siri (or Voice Dial, if Siri is not enabled; watch out as Music Voice Control is always enabled (*)) when the device is locked: Navigate to “Settings -> Passcode -> Siri (or Voice Dial)” and disable it there (“Allow access when locked: Siri = OFF”).
- Disable Passbook when the device is locked: Navigate to “Settings -> Passcode -> Passbook” and disable it there (“Allow access when locked: Passbook = OFF”).
- Disable the Control Center from the lock screen to avoid exposing sensitive controls, such as enabling/disabling the Wi-Fi or Bluetooth interfaces, or even airplane mode: Navigate to “Settings -> Control Center -> Access on Lock Screen = OFF”. The multiple controls available in Control Center cannot be customized; therefore it can only be enabled or disabled completely.
- Disable the Notification Center, and specifically, its availability from the lock screen, including Today View (new since iOS 7). In iOS 8, navigate to “Settings -> Passcode -> Allow access when locked:” and disable both “Today” and “Notifications View”:
In iOS 7, navigate to “Settings -> Notification Center -> Access on Lock Screen” and disable both, “Notifications View” and “Today View”.
- More granular notification settings can be configured for each individual app from the “Include” section of Notification Center. Apps can be completely unlinked from Notification Center by accessing their settings and turning off notifications. In iOS 8, go to “Settings -> Notifications -> <App> -> Allow Notifications = OFF”. The app will be moved to the “Do Not Include” section at the bottom (e.g. Twitter app):
Additionally, the “Show on Lock Screen” setting from the same menu allows defining if the individual app notifications will be available on the lock screen or not.
In iOS 7, these and other adjustments in the next set of recommendations were available under “Settings -> Notification Center -> …” instead. In iOS 7, to unlink an app from the Notification Center go to “Settings -> Notifications -> <App> -> Show in Notification Center = OFF”.
- iOS allows answering back a phone call without knowing the passcode by simply swapping the missed call notification available in the lock screen. This behavior cannot be disabled, except by not showing this kind of missed call notificationin the lock screen (go to “Settings -> Notifications -> Phone -> Show on Lock Screen = OFF”):
Similar recommendations apply to other apps that can also show sensitive information in the lock screen, such as Messages. It is recommended to disable the preview of Messages by going to “Settings -> Notifications -> Messages -> Show Previews = OFF” (a specific issue with this setting has been fixed in iOS 8, CVE-2014-4356):
In order to avoid issues with the SmartCover in iPad devices, its usage can be disabled from “Settings -> General -> Lock/Unlock”:
- Disable the camera: In order to remove the quick camera access icon from the lock screen, completely restrict access to the camera via “Settings -> General -> Restrictions” and disable the ‘Camera’, which will also turn off FaceTime. As there is no other way to simply disable the quick camera access icon, this radical countermeasure is the only option available to avoid someone taking pictures from your iOS device:
- Establish a passcode with at least one alphabetic character, so that the look & feel of the iOS lock screen does not disclose if your passcode is just a PIN (4 digits), is made up of just digits (more than 4), or (preferred option) is alphanumeric.
- … and remember to frequently physically clean up the screen of your iOS devices too to avoid fingerprints, residues and smudge revealing your passcode
(*): Voice Dial is always enabled since iOS 7.1, and there is no configuration option to disable it, as it was the case in previous iOS versions (e.g. 7.0.x) from “Settings -> General -> Passcode Lock -> Voice Dial” (since iOS 7.1 it should be under “Settings -> Passcode”).
All these recommended actions can be manually implemented through the Settings app or (most of them) via a configuration profile that can be pushed to the target iOS mobile devices through an MDM solution. Both offensive attack opportunities and defensive protections are thoroughly covered in the SANS course, with the main goal of testing and improving the overall security of corporate mobile environments.
NOTE: This article has been crossed posted in both the SANS Pen Testing Blog and DinoSec’s Blog in September 2014.