Setting Up My iPhone 6s from Scratch to Show the Passcode Bypass Flaw in iOS 9.3.1
I'm setting up my iPhone 6s from scratch so that I can show you the passcode bypass flaw in iOS 9.3.1. As stated at the outset, I have reset this iPhone 6s back to factory default, so I'm going through the whole setup process again using Touch ID and setting up Siri.
First thing we want to do is go into settings and just show you that I am running iOS 9.3.1. There we go, all right, 9.3.1 is confirmed. Now what I also want to do is I want to go ahead and just take a photo because this passcode bypass flaw allows you to access your photo library and view some of your photos. Of course, depending on what you have in your photo library, that could be a very bad thing. Obviously, it's just a privacy breach in general.
I'm going to create a new contact because this passcode bypass flaw allows you to access your contacts and view contacts without entering your passcode or verifying with Touch ID. First of all, I'm just going to lock my device and show you that indeed it is secure. I'm going to use the wrong finger for Touch ID, first of all, which is my pinky finger, which is not registered. So, I did not register my pinky finger, obviously, I just registered one finger, put in the wrong passcode so the passcode is definitely enforced.
Now that the passcode is enforced, I'm going to invoke Siri and search for Twitter. What would you like me to search for on Twitter? IGN, yahoo.com, checking Twitter... basically the whole point of this is just to search for a valid email address. I just happen to use Yahoo, now you just 3D touch on an address that you find in a tweet, there you go. Now you can just tap create new contact and then tap add photo and then tap choose photo.
Then Siri will ask for access to your photo library, but notice you did not verify your passcode whatsoever, you did not verify with Touch ID, but you can still accept just like that and get right into your photo library. Granted, this isn't full access but it's enough so that you can actually view photos in here, which obviously isn't a good thing, like you could go through and view these photos, you're not going to be able to do too much with them, but hey, just viewing them alone is to me a breach of privacy. I think you would agree with that.
That's not where it stops. Let's try this again. Search Twitter what would you like me to search for on Twitter? IGN, yahoo.com... okay here are some tweets. All right so this time I'm going to 3D touch and I'm going to choose add to existing contact, now I can view my contacts, of course I only have one contact but you can also add a photo from this view as well and choose photo.
Really that's probably the best view to go into if you're about snooping around someone's device but as you can see here this is a security flaw. Um and apple will hopefully fix this. I'm sure they will in the very near future. Now if you want to protect yourself in the meantime what you can do is you can open up the settings app and then you can go to privacy, here then you can go to photos and then just disable Siri access to photos, the access we gave it earlier just turn that off.
But if you're really about securing things you can just shut down Siri access all together on the lock screen. So, just go into Touch ID and passcode and then turn off Siri there for the lock screen.
"WEBVTTKind: captionsLanguage: enwhat's up guys it's Jeff with 95 Mac I am setting up my iPhone 6s from scratch so that I can show you the passcode byass flaw in iOS 9.3.1 let me show you okay so as I stated at the outset I have reset this iPhone 6s back to factory default so I'm going through the whole setup process again using Touch ID uh setting up Siri All That Jazz because I want to show you how this flaw works this passcode bypass flaw in iOS 9.3.1 which is of course the latest version of iOS all right so first thing we want to do is we want to go into settings and just show you that I am running iOS 9.3.1 so there we go all right 9.3.1 is confirmed all right now what I also want to do is I want to go ahead and just take a photo because this passcode bypass flaw allows you to access your photo library and view some of your photos so of course depending on what you have in your photo library that could be a very bad thing obviously it's just a privacy breach in general uh also I'm going to create a new contact because this passcode bypass flaw allows you to access your contacts and view contacts without entering your passcode or verifying with Touch ID all right so first of all I'm just going to lock my device and show you that indeed it is secure so I'm going to to um well use the wrong finger for Touch ID first of all which is my pinky finger which is not registered all right so I did not register my pinky finger obviously I just registered one finger put in the wrong passcode so the passcode is definitely enforced and now I'm going to invoke Siri search Twitter what would you like me to search for on Twitter IGN yahoo.com checking Twitter I found some tweets so basically the whole point of this is just to search for a valid email address I just happen to use Yahoo now you just 3D touch on an address that you find in a tweet and there you go now you can just tap create new contact and then tap add photo and then tap choose photo and then Siri is going to ask for access to your photo library but notice you did not verify your passcode whatsoever you did not verify with Touch ID but you can still accept just like that and get right into your photo library now granted this isn't full access but it's enough so that you can actually view photos in here um which obviously isn't a good thing like you could go through and view these photos you're not going to be able to do too much with them um but hey just viewing them alone is to me a breach of privacy I think you would agree with that and that's not where it stops let's try this again search Twitter what would you like me to search for on Twitter IGN yahoo.com okay here are some tweets all right so this time I'm going to 3D touch and I'm going to choose add to existing contact and now I can view my contacts and of course I only have one contact but you can also add a photo from this view as well and choose photo so really that's probably the best view to go into if you're about snooping around someone's device but as you can see here this is a security flaw um and apple will hopefully fix this I'm sure they will in the very near future now if you want to protect yourself in the meantime what you can do is you can open up the settings app and then you can go to privacy here and then you can go to photos and then just disable Siri access to photos the access we gave it earlier just turn that off but if you're really about securing things you can just shut down Siri access all together on the lock screen so just go into Touch ID and passcode and then turn off Siri there for the lock screen so let me know what you think in the comment section this is Jeff with 9 to5 Macwhat's up guys it's Jeff with 95 Mac I am setting up my iPhone 6s from scratch so that I can show you the passcode byass flaw in iOS 9.3.1 let me show you okay so as I stated at the outset I have reset this iPhone 6s back to factory default so I'm going through the whole setup process again using Touch ID uh setting up Siri All That Jazz because I want to show you how this flaw works this passcode bypass flaw in iOS 9.3.1 which is of course the latest version of iOS all right so first thing we want to do is we want to go into settings and just show you that I am running iOS 9.3.1 so there we go all right 9.3.1 is confirmed all right now what I also want to do is I want to go ahead and just take a photo because this passcode bypass flaw allows you to access your photo library and view some of your photos so of course depending on what you have in your photo library that could be a very bad thing obviously it's just a privacy breach in general uh also I'm going to create a new contact because this passcode bypass flaw allows you to access your contacts and view contacts without entering your passcode or verifying with Touch ID all right so first of all I'm just going to lock my device and show you that indeed it is secure so I'm going to to um well use the wrong finger for Touch ID first of all which is my pinky finger which is not registered all right so I did not register my pinky finger obviously I just registered one finger put in the wrong passcode so the passcode is definitely enforced and now I'm going to invoke Siri search Twitter what would you like me to search for on Twitter IGN yahoo.com checking Twitter I found some tweets so basically the whole point of this is just to search for a valid email address I just happen to use Yahoo now you just 3D touch on an address that you find in a tweet and there you go now you can just tap create new contact and then tap add photo and then tap choose photo and then Siri is going to ask for access to your photo library but notice you did not verify your passcode whatsoever you did not verify with Touch ID but you can still accept just like that and get right into your photo library now granted this isn't full access but it's enough so that you can actually view photos in here um which obviously isn't a good thing like you could go through and view these photos you're not going to be able to do too much with them um but hey just viewing them alone is to me a breach of privacy I think you would agree with that and that's not where it stops let's try this again search Twitter what would you like me to search for on Twitter IGN yahoo.com okay here are some tweets all right so this time I'm going to 3D touch and I'm going to choose add to existing contact and now I can view my contacts and of course I only have one contact but you can also add a photo from this view as well and choose photo so really that's probably the best view to go into if you're about snooping around someone's device but as you can see here this is a security flaw um and apple will hopefully fix this I'm sure they will in the very near future now if you want to protect yourself in the meantime what you can do is you can open up the settings app and then you can go to privacy here and then you can go to photos and then just disable Siri access to photos the access we gave it earlier just turn that off but if you're really about securing things you can just shut down Siri access all together on the lock screen so just go into Touch ID and passcode and then turn off Siri there for the lock screen so let me know what you think in the comment section this is Jeff with 9 to5 Mac\n"
