Did you miss a session from GamesBeat Summit Next 2022? All sessions are now available for viewing in our on-demand library. Click here to start watching.

iOS update

The iOS 6.1 lockscreen hack from earlier this month isn’t the only security vulnerability in Apple’s latest mobile OS.

Benjamin Kunz Mejri, the chief executive of the security firm Vulnerability Lab, detailed yet another iOS 6.1 hack last week in the Full Disclosure mailing list. The hack enables attackers bypass your iPhone’s lockscreen password, giving them access to your phone’s contacts, photos, voicemails, and more.

Judging from Mejri’s description, the new hack seems related to the earlier iOS 6.1 lockscreen exploit. Both involve using the iPhone’s emergency call function, cancelling it immediately, and then trying to make a screenshot. But the newer attack takes advantage of a slightly different method to make the iPhone vulnerable (basically, pressing the power, home, and emergency call buttons all at once).


Intelligent Security Summit

Learn the critical role of AI & ML in cybersecurity and industry specific case studies on December 8. Register for your free pass today.

Register Now

Apple acknowledged the previous iOS 6.1 security flaw and quickly issued a fix to developers with the second iOS 6.1.3 beta. That update hasn’t yet trickled down to iPhone owners, and it’s unclear if it also fixes Mejri’s exploit.

Here’s how Mejri describes the exploit in his e-mail to Full Disclosure:

The vulnerability is located in the main login module of the mobile iOS device (iphone or ipad) when processing to use the screenshot function in combination with the emegerncy call and power (standby) button. The vulnerability allows the local attacker to bypass the code lock in iTunes and via USB when a black screen bug occurs.

The vulnerability can be exploited by local attackers with physical device access without privileged iOS account or required user interaction. Successful exploitation of the vulnerability results in unauthorized device access and information disclosure.

Check out a video of the exploit below:

via Wired, ThreatPost; Photo: Devindra Hardawar/VentureBeat

VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.