Apple iOS v9.2.1, v9.1 & v9.0 - Researcher disclosed multiple PassCode Protection Bypass Vulnerabilities

Apple iOS v9.2.1 (iPhone & iPad) - Researcher disclosed multiple PassCode Bypass Vulnerabilities

Today in the early morning the vulnerability researcher and ceo of the vulnerability laboratory disclosed several new issues in the newst Apple iOS version (9.2.1). The vulnerabilities allow local attackers with physical device access to bypass the passcode protection of the iPhone (5|5s|6|6s) and iPad (Mini|1|2). Benjamin did already successful discovered around 10 vulnerabilities in the pass code module and the regular ios device protection mechanisms due to the last years. The new bugs turns a new light to the situation of apple against the fbi because of easily bypass the device protection mechanism. In the newst report of today, Benjamin released about 4 new hacks on how to bypass the security protection mechanism of the apple ios passcode module.

Technical details of the local vulnerabilities ...

1.1
In the first scenario the attacker requests for example via siri an non existing app, after that siri answers with an appstore link to search for it. Then the attacker opens the link and a restricted browser window is opened and listing some apps. At that point it is possible to unauthorized switch back to the internal home screen by interaction with the home button or with siri again. The link to bypass the controls is visible in the siri interface only and is called "open App Store". The vulnerability is exploitable in the Apple iPhone 5 & 6(s) with iOS v9.0, v9.1 & v9.2.1

1.2
In the second scenario the attacker is using the control panel to gain access to the non restricted clock app. The local attacker opens the app via siri or via panel and opens then the timer to the end timer or Radar module. The developers of the app grant apple customers to buy more sounds for alerts and implemented a link. By pushing the link a restricted appstore browser window opens.  At that point it is possible to unauthorized switch back to the internal home screen by interaction with the home button or with siri again. The link to bypass the controls becomes visible in the Alert - Tone (Wecker - Ton) & Timer (End/Radar) and is called "Buy more Tones". The vulnerability is exploitable in the Apple iPhone 5 & 6(s) with iOS v9.0, v9.1 & v9.2.1.

1.3
In the third scenario the attacker opens via panel or by a siri request the clock app. After that he opens the internal world clock module. In the buttom right is a link to the weather channel that redirects to the store as far as its deactivated. By pushing the link a restricted appstore browser window opens.  At that point it is possible to unauthorized switch back to the internal home screen by interaction with the home button or with siri again. The link to bypass the controls becomes visible in the World Clock (Weather Channel) and is an image as link. Thus special case is limited to the iPad because only in that models use to display the web world map. In the iPhone version the bug does not exist because the map is not displayed because of using a limited template. The vulnerability is exploitable in the Apple iPad2 with iOS v9.0, v9.1 & v9.2.1.

1.4
In the fourth scenario the attacker opens via siri the 'App & Event Calender' panel. After that the attacker opens under the Tomorrow task the 'Information of Weather' (Informationen zum Wetter - Weather Channel LLC) link on the left bottom. As far as the weather app is deactivated on the
Apple iOS device, a new browser window opens to the appstore. At that point it is possible to unauthorized switch back to the internal home screen by interaction with the home button or with siri again. The link to bypass the controls becomes visible in the App & Events Calender panel. The vulnerability is exploitable in the Apple Pad2 with iOS v9.0, v9.1 & v9.2.1.

Vulnerable Module(s):
[+] PassCode (Protection Mechanism)

Affected Device(s):
[+] iPhone (Models: 5, 5s, 6 & 6s)
[+] iPad (Models: mini, 1 & 2)

Affected OS Version(s):
[+] iOS v9.0, v9.1 & v9.2.1

Proof of Ceoncept (Manual Reproduce)

1.1
Manual steps to reproduce the vulnerability ... (Siri Interface - App Store Link) iPhone (Models: 5, 5s, 6 & 6s)
1. Take the iOS device and lock the passcode to the front
2. Open Siri by activation via Home button (push 2 seconds)
3. Ask Siri to open a non existing App
Note: "Open App Digital (Öffne App Digital)
4. Siri responds to the non existing app and asks to search in the appstore
5. Now, and "open App store" button becomes visible to push (do it!)
6. A new restricted browser window opens with the appstore buttom menu links
7. Click to updates and open the last app or push twice the home button to let the task slide preview appear
8. Now choose the active front screen task
9. Successful reproduce of the passcode protection bypass vulnerability!

1.2
Manual steps to reproduce the vulnerability ... (Clock & Timer - Buy more Tones Link) iPhone (Models: 5, 5s, 6 & 6s)
1. Take the iOS device and lock the passcode to the front
2. Open Siri by activation via Home button (push 2 seconds)
Note: "Open World Clock" (Öffne App Weltuhr)
3. Push the 'Timer' module button on the buttom
4. Now, push the Radius or End Timer Button in the middle of the screen
Note: A listing opens with the sounds collection and on top is a web link commercial
5. Push the button and a new restricted browser window opens with the appstore buttom menu links
6. Click to updates and open the last app or push twice the home button to let the task slide preview appear
7. Now choose the active front screen task
8. Successful reproduce of the passcode protection bypass vulnerability!
Note: The vulnerability can also be exploited by pushing the same link in the Alerts Timer (Wecker) next to adding a new one.

... or

1.3
Manual steps to reproduce the vulnerability ... (Clock World - Weather Channel Image Link) iPad (Models: 1 & 2)
1. Take the iOS device and lock the passcode to the front
2. Open Siri by activation via Home button (push 2 seconds)
Note: "Open App Clock" (Öffne App Uhr)
3. Switch in the buttom module menu to world clock
Note: on the buttom right is an image of the weather channel llc network
4. Push the image of the weather channel llc company in the world map picture
Note: Weather app needs to be deactivated by default
5. After pushing the button and a new restricted browser window opens with the appstore buttom menu links
6. Click to updates and open the last app or push twice the home button to let the task slide preview appear
7. Now choose the active front screen task
8. Successful reproduce of the passcode protection bypass vulnerability!
Note: The issue is limited to the iPad 1 & 2 because of the extended map template!

1.4
Manual steps to reproduce the vulnerability ... (Events Calender App - Weather Channel LLC Link) iPad (Models: 1 & 2) & iPhone (Models: 5, 5s, 6 & 6s)
1. Take the iOS device and lock the passcode to the front
2. Open Siri by activation via Home button (push 2 seconds)
Note: "Open Events/Calender App" (Öffne Events/Kalender App)
3.Now push on the buttom of the screen next to the Tomorrow(Morgen) module the 'Information of Weather Channel' link
Note: Weather app needs to be deactivated by default
4.After pushing the button and a new restricted browser window opens with the appstore buttom menu links
5. Click to updates and open the last app or push twice the home button to let the task slide preview appear
6. Now choose the active front screen task
7. Successful reproduce of the passcode protection bypass vulnerability!

Solution for Customer (./Temp)

The vulnerabilities can be temporarily patched by the end user by hardening of the device settings. Deactivate in the Settings menu the Siri module permanently. Deactivate also the Events Calender without passcode to disable the push function of the Weather Channel LLC link. Deactivate in the next step the public control panel with the timer and world clock to disarm exploitation. Aktivate the weather app settings to prevent the redirect when the module is disabled by default in the events calender. Finally apple needs to issue a patch as workaround for the issue but since this happens a temp solution has been published as well.

Patch / Fix by Apple

Apple was notified about the vulnerabilities to bypass the passcode protection in january 2016. After the initial arrival that confirms the issues, no answer or feedback was replied by apple. Today (2016-03-07) all issues are finally released to the public. The bugs are not fixed or patched and are still marked as zero-day vulnerability since 3rd january 2016.

Video: Apple iOS v9.0, v9.1 & v9.2.1 - Multiple Pass Code Bypass Vulnerabilities

Advisory: http://www.vulnerability-lab.com/get_content.php?id=1778

Video: http://www.vulnerability-lab.com/get_content.php?id=1779

NOTE: The fingerprint on pushing the Home button the siri does not allow you to login when you push the home button. Holding the finger above the home button allows thus. Pushing the button simulates interaction were the printer is not listening activly.

Reference(s):

https://threatpost.com/passcode-bypass-bugs-trouble-ios-9-1-and-later/116624/

http://www.computerworld.com/article/3041302/security/4-new-ways-to-bypass-passcode-lock-screen-on-iphones-ipads-running-ios-9.html

http://securityaffairs.co/wordpress/45131/security/bypass-apple-passcode.html