Document Title: =============== Apple iOS 9.3.1 (iPhone 6S & iPhone Plus) - (3D Touch) Passcode Bypass Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1814 Release Date: ============= 2016-04-05 Vulnerability Laboratory ID (VL-ID): ==================================== 1814 Common Vulnerability Scoring System: ==================================== 6.1 Product & Service Introduction: =============================== iOS (previously iPhone OS) is a mobile operating system developed and distributed by Apple Inc. Originally released in 2007 for the iPhone and iPod Touch, it has been extended to support other Apple devices such as the iPad and Apple TV. Unlike Microsoft`s Windows Phone (Windows CE) and Google`s Android, Apple does not license iOS for installation on non-Apple hardware. As of September 12, 2012, Apple`s App Store contained more than 700,000 iOS applications, which have collectively been downloaded more than 30 billion times. It had a 14.9% share of the smartphone mobile operating system units shipped in the third quarter of 2012, behind only Google`s Android. In June 2012, it accounted for 65% of mobile web data consumption (including use on both the iPod Touch and the iPad). At the half of 2012, there were 410 million devices activated. According to the special media event held by Apple on September 12, 2012, 400 million devices have beensold through June 2012. ( Copy of the Homepage: http://en.wikipedia.org/wiki/IOS ) Apple Inc. is an American multinational technology company headquartered in Cupertino, California, that designs, develops, and sells consumer electronics, computer software, and online services. Its hardware products include the iPhone smartphone, the iPad tablet computer, the Mac personal computer, the iPod portable media player, and the Apple Watch smartwatch. Applegovernment-labs consumer software includes the OS X and iOS operating systems, the iTunes media player, the Safari web browser, and the iLife and iWork creativity and productivity suites. Its online services include the iTunes Store, the iOS App Store and Mac App Store, and iCloud. (Copy of the Homepage: https://en.wikipedia.org/wiki/Apple_Inc. ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a local passcode bypass vulnerability in the official Apple iOS 9.3.1 iPhone 6S & Plus models. Vulnerability Disclosure Timeline: ================================== 2016-03-17: Public Disclosure (Evolution Security GmbH - Benjamin Kunz Mejri) 2016-03-18: Vendor Notification (Apple Product Security Team) 2015-**-**: Vendor Response/Feedback (Apple Product Security Team) 2016-**-**: Vendor Fix/Patch (Apple iOS Mobile Developer Team) 2016-04-05: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Apple Product: iOS 9.3.1 - Models (iPhone 6S & iPhone Plus) (3D Touch Only!) Exploitation Technique: ======================= Local Severity Level: =============== High Technical Details & Description: ================================ A passcode bypass vulnerability has been discovered in the official Apple iOS v9.3.1 for iPhone 6S & iPhone Plus models. The vulnerability allows local attackers to bypass the physical device protection mechanism of the iphone 6s and plus models. The 3d touch sendor with the apple display hardware allows to open the basic context menu and new options by low and intensiv push interaction. For example by pushing in the default mail app the messages another context menu for interaction becomes available. The new functions are only available for the apple products like iphone 6S and the iPhone Plus that do support the new hardware. The bug is located in the inner app @ link GET method requests of an installed application. Remote attacker can use siri to request an available runtime app of the task. The interaction is allowed without passcode. After that the attacker surfs over the for example facebook, twitter or yahoo app and search for `@[TAGS]`. The attacker clicks the add tag and holds the button. The new 3d touch sensor of the apple iphone 6s and plus models allows new interactions by processing to push hard the basic context menu becomes visible to the attacker. In the available context menu it is possible to choose to add another new contact. Basically the function is not allowed without passcode auth. Now the attacker click in the new contact the picture / avatar button. Now the screen of the image galler becomes available as library. In the next steps the local attacker with physical device access can request the contacts by usage of an email that is connected to an already existing contact in the list. The issue remember to a bug that was in the early 7.x release of iOS with the calender. In the calender was a yahoo link to the finance stream that allowed us to bypass the display protection of sim locked ios phones. The security risk of the passcode bypass vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.1. Exploitation of the passcode protection mechanism bypass vulnerability requires a low privileged ios device user account and no user interaction. Physical apple device access is required for successful exploitation. Successful exploitation of the vulnerability results in unauthorized device access, mobile apple device compromise and leak of sensitive device data like the address-book, photos, sms, mms, emails, phone app, mailbox, phone settings or access to other default/installed mobile apps. Vulnerable Module(s): [+] PassCode (Protection Mechanism) Affected Device(s): [+] iPhone (Models: 6S) [+] iPhone (Models: 6 Plus) Affected OS Version(s): [+] v9.2.1 & v9.3.1 Proof of Concept (PoC): ======================= The local passcode vulnerability can be exploited by local attackers with low privileged device user account and without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Start the iPhone 6S or iPhone 6 Plus 2. Install for example the default yahoo, twitter or facebook application of the appstore 3. Start the application to the runtime task 4. Set a new passcode via Settings 5. Lock the mobile via power (shutdown) button 6. Open siri by pushing two seconds the home button or use the "hello siri" option 7. Ask siri to search via twitter, yahoo or facebook as slide preview 8. Surf through the feed since a @tag becomes visible or use the search in the preview 9. Push the @tag button - intensive push (6S or Plus) 10. Now the basic context menu becomes visible with new options 11. Choose to add a new contact 12. Open yet the pictures for adding to profile 13. Now, the attacker got already successful access to the photo album of the apple device without secure auth 14. Click to send a message and the mailbox will open without secure auth 14. Successful reproduce of the vulnerability Note: the same is also possible by adding an email to the already existing contact to access the addressbook of the apple device. Solution - Fix & Patch: ======================= The vulnerability can be temporarily patched by the end user via hardening of the device settings. Deactivate in the Settings menu the Siri module permanently. Deactivate in the next step the public control panel without passcode. Disallow siri to access picture information or the addressbook by usage of the privacy settings. Note: The version 9.3.1 is still vulnerable after the last update 2016-04-04. The bug was discovered during the analysis of an error issue with the 3D Touch module in the esec labs in germany. The bug was reported by mail to the apple product security team 2016-03-18. In the advisory VL ID 1778 (http://www.vulnerability-lab.com/get_content.php?id=1778) we do explain provide another temp fix. As far as this solution is already implemented, the exploitation can't take place against your iOS Plus or 6S touch device. Security Risk: ============== The security risk of the local passcode bypass vulnerability in the iphone 6s and plus models are estimated as high. (CVSS 6.1) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (research@vulnerability-lab.com) [http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@vulnerability-lab.com) to get a ask permission. Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com