There's a second passcode lock vulnerability in iOS 6.1, according to Vulnerability Lab CEO Benjamin Kunz Mejri (hat tip to Kaspersky Lab's threatpost). Mejri had recently outlined the vulnerability in an e-mail to the Full Disclosure list, highlighting yet another way for attackers to get past the lock screen and access a user's contacts, voicemails, and more.
As detailed by Mejri, this new bug appears to be slightly different from the one highlighted earlier this month. The two start out in a similar way—by following a set of steps that utilizes the Emergency Call function in addition to the lock/sleep button and the screenshot feature. When making an emergency call, an attacker could cancel the call while holding the lock/sleep button in order to access data on the phone.
The difference between the first exploit and this one is how it can make the iPhone screen go black, allowing an attacker to plug the device into a computer via USB and access the user's data without having their PIN or passcode credentials.
"The vulnerability is located in the main login module of the mobile iOS device (iPhone or iPad) when processing to use the screenshot function in combination with the emergency call and power (standby) button. The vulnerability allows the local attacker to bypass the code lock in iTunes and via USB when a black screen bug occurs," Mejri wrote. "The vulnerability can be exploited by local attackers with physical device access without privileged iOS account or required user interaction. Successful exploitation of the vulnerability results in unauthorized device access and information disclosure."
As we wrote on Feb. 14, a version of the passcode bypass bug first appeared in iOS 2.0, then again in iOS 4.1 with a slightly more complex series of steps. The most recent version of the bug appeared in iOS 6.1, but now it turns out there are two versions of this vulnerability in 6.1. In its beta release of iOS 6.1.3 to developers last week, Apple said it would fix the bug once again—we can only assume Apple plans to patch both versions of this bug since they appear to start out the same way. It's not yet known when iOS 6.1.3 will be released to the public, but we're willing to guess we'll see it in the next couple weeks.
iOS passcode bug slated to be fixed in iOS 6.1.3—for real this time
The second beta of iOS 6.1.3 reportedly fixes this security hole.
The recent release of iOS 6.1.2 may have brought Exchange fixes for some, but to the surprise of security experts, the zombie passcode bypass bug that keeps popping up has yet to be fixed. Apple apparently plans to address that bug in an upcoming release of iOS 6.1.3. The company issued a second beta of iOS 6.1.3 to developers on Thursday, as noted by 9to5Mac, which addresses this lock screen bug in addition to bringing Maps enhancements for Japan.
The passcode bug goes way back when it comes to iOS—it first appeared in iOS 2.0, then in 4.1, and then again in 6.1. As we wrote earlier this month, the current version of the bug requires a more complex series of steps than when the bug existed in iOS 2.0, but performing the right actions can give someone access to your call logs, voicemails, contacts, and more. A video posted by The Vergedemoed the trick.
Apple acknowledged the bug's existence last week, and it was widely expected that Apple would fix it with the release of iOS 6.1.2. Well, it turns out that wasn't the case, but the next iOS release is slated to patch this up. Of course, this bug seems to keep coming back no matter how many times it's fixed, so who's taking bets on it making another appearance somewhere around the release of iOS 8?
No comments:
Post a Comment
Let us know your Thoughts and ideas!
Your comment will be deleted if you
Spam , Adv. Or use of bad language!
Try not to! And thank for visiting and for the comment
Keep visiting and spread and share our post !!
Sharing is a kind way of caring!! Thanks again!