The guys at Vulnerability Lab have found an Apple iOS vulnerability which allows them to bypass Apple iOS products which run on v8.x and v9.x.
Vulnerability Lab has published the advisory information, and in that piece they explain that the vulnerability is located in the iPad 2 & iPhone 5 and 6 hardware configuration with iOS v8.x and v9.x;
Apple iOS vulnerability
The vulnerability is located in the iPad 2 & iPhone 5 & 6 hardware configuration with iOS v8.2 – v9.2 when processing an update which results in a interface
loop by the application slides. Local attacker can trick the iOS device into a mode were a runtime issue with unlimited loop occurs. This finally results in a temporarily deactivate of the pass code lock screen.
They continue to explain that;
By loading the loop with remote app interaction we was able to stable bypass the auth of an iphone after the reactivation via shutdown button. The settings of the device was permanently requesting the pass code lock on interaction. Normally the pass code lock is being activated during the shutdown button interaction. In case of the loop the request shuts the display down but does not activate the pass code lock.
Vulnerability Lab also explains that the exploit is found on non-jailbroken Apple iPhone mobiles.
Proof of Concept (PoC):
1. First fill up about some % of the free memory in the iOS device with random data
2. Now, you open the app-store choose to update all applications (update all push button)
3. Switch fast via home button to the slide index and perform iOS update at the same time Note: The interaction to switch needs to be performed very fast to successfully exploit. In
the first load of the update you can still use the home button. Press it go back to index
4. Now, press the home button again to review the open runnings slides
5. Switch to the left menu after the last slide which is new and perform to open siri in the same
moment. Now the slide hangs and runs all time in a loop
6. Turn of via power button the ipad or iphone ….
7. Reactivate via power button and like you can see the session still runs in the loop and can be requested without any pass code Note: Normally the pass code becomes available after the power off button interaction to stand-by mode
8. Successful reproduce of the local security vulnerability!