iOS 7 Bug Let’s Anyone Bypass iPhone’s Lockscreen
Forget the debate about the security or insecurity of the iPhone 5s’s fingerprint reader. The latest version of the iPhone’s operating system (iOS 7) currently offers a gaping hole in its passcode lockscreen.
Jose Rodriguez, a 36-year-old soldier living in Spain’s Canary Islands, has found a security vulnerability in iOS 7 that allows anyone to bypass its lockscreen in seconds to access photos, email, Twitter, and more. He shared the technique with Forbes, along with the video above.
As the video shows, anyone can exploit the bug by swiping up on the lockscreen to access the phone’s “control center,” and then opening the alarm clock. Holding the phone’s sleep button brings up the option to power it off with a swipe. Instead, the intruder can tap “cancel” and double click the home button to enter the phone’s multitasking screen. That offers access to its camera and stored photos, along with the ability to share those photos from the user’s accounts, essentially allowing anyone who grabs the phone to hijack the user’s email, Twitter, Facebook, or Flickr account.
I tested the technique on an iPhone 4 running iOS 7, and it worked. Rodriguez’s video shows it working on an iPad, too. It’s not yet clear if the same exploit can bypass the lockscreen of an iPhone 5s or 5c, but Rodriguez tells me he believes it will. A spokesperson from Apple tells Forbes that the company “takes security very seriously and we’re aware of this issue. We’ll deliver a fix in a future software update.”
Rodriguez has a track record of finding lockscreen bypass bugs in iOS, many of which he says he dug up while killing time in his old job as a driver for government officials. “I had a lot of time to look at the scenery, break the phone or write poetry while waiting for my boss, and I don’t write poetry and already knew the landscape by heart,” he tells Forbes via instant message and Google translate. So he spent hours “trying everything that goes through my head…I submit my iPhone to cruel methods of torture.”
Anyone hoping to avoid this vulnerability until Apple issues a fix can prevent “control center” from appearing on their lockscreen by accessing “settings,” then “control center.” Some users are also reporting the trick isn’t working on their phones and tablets, though it may just take a little finesse to figure out the timing.
Update: This bug has been fixed with iOS 7.0.2