Apple iOS 7.0.1 & 7.0.2 - Sim Lock Screen Display Bypass

Since the new iOS v7.0 got discovered, our team already discovered in january a secound local pass code bypass vulnerability in the iOS 6.1 & 6.2. This month we discover a new issue in the iOS v7.0.1 & v7.0.2 vulnerability. The issue affects the screen display mode when the sim card is locked by the iPhone or iPad device. At the end was able to bypass the locked screen display which is regular disabled.

The security vulnerability allows local attackers to bypass a restricted section of the phone application. The vulnerability is located in the iOS v7.0.1 & v7.0.2 when the `sim locked` mode is activated. The local attacker can redirect to the regular standard unlocked mode by using restricted functions with an unlock/ok popup box, calender hyper link + shutdown & home button.

As result the local attacker is able to glitch > jump into the regular locked phone mode with calender + hyperlinks, camera and control center. The local sim lock screen display bypass vulnerability can be exploited by local attackers with physical device access and without user interaction. Successful exploitation results in the bypass of the sim lock mode to the regular lock mode.

Manual reproduce like in the iphone poc security video ...

1. Start your iPhone and ensure you have the iOS v7.0.1 installed

2. Activate the Sim Lock mode

3. Start the device new and you will see a black notification in the middle of the display (sim locked)
Note: Sometimes the message also comes up in the restricted mode with a grey message box in the middle of the display.

4. Open the calender, and scroll down to the two hyper links

5. Press the power button and wait 2 secounds in the last secound your press one of the two hyperlinks

6. You get redirected via hyperlink because of the restriction to the pass code sim lock

7. Press again 3 secound the power button and push at the end in the last secound the home button

8. Click cancel again in the shutdown menu but hold the home button

9. Open up the control center and go to the calculator. Now a message box appears automatically with the sim lock entry button or the ok cancel

10. Press 3 secounds the shutdown button and in the last secound you press the unlock or ok button and hold home
Note: The pass code module comes up but some milisecounds after it there is an automatic redirect to the earlier opened module (calculator)

11. Now the attacker only press one time 3 secounds the power button again and when its opened he press cancel and one time the home button

12. The locked screen disappears and the restricted screen display mode has been bypassed To ensure this is a valid issue we also produced a poc video ...

Advisory: http://vulnerability-lab.com/get_content.php?id=1105

Video: http://www.youtube.com/watch?v=6_e-hvglQdg

but ... thats not all yet! In our testings we found a possibility to crash down the mobile device by only using the restricted mode.

The video has been recorded by a laboratory member to demonstrate an iPhone 5s denial of service vulnerability. The vulnerability freezes the interface functions and a hard reset is required the leave the problem. The issue can be exploited by physical device access of an attacker and the problem is not visible to the attacked person. The issue is a combination of a memory flaw and a glitch problem resulting in the permanent freeze of the control center, calender & camera. The vulnerability is since today marked as zero-day issue with a scoring of 3.9 because the issues can be passed by a hard reset (shutdown<reboot) of the device.

The vulnerability document of the denial of service issue is not published yet.