Apple swiftly closes hole in iOS 9 Lock screen

Share this…

Apple just released iOS 9.0.2.

This new version claims to close the well-publicised Lock screen hole that lets anyone view and edit your contacts, send text messages, and rummage through your photos – without entering your passcode.

Apple IOS 9.0.2
Apple IOS 9.0.2

If you had an iOS 9 or 9.0.1 device with Siri accessible from your lock screen, you were vulnerable regardless of the type or length or your passcode, and regardless of whether you had turned on TouchID.

We tried the trick on an iPhone running iOS 9.0.1 and confirmed that it worked with a 6-digit numeric and 8-digit alphanumeric passcode.

So, we decided to try it again with iOS 9.0.2.

We tested on an iPhone 6 (the same device used in our previous tests) running the newly-released 9.0.2, again with both a 6-digit numeric and an 8-digit alphanumeric passcode.

Good news: it seems that Apple removed a link in the chain to stop this hack from working, because we weren’t able to skip the passcode and get at contacts and photos as we had before.

Despite the fix, however, we still recommend that you turn off Siri on the Lock Screen.

The more features you have available from your Lock screen, the less locked your Lock screen becomes, and the more that could go wrong.

And Siri has been associated with Lock screen trouble before, so here’s how to turn her off.

How to disable Siri on the lock screen

siri-off-lock-screen-1000

Go to Settings | Touch ID & Passcode, and under Allow Access When Locked, toggle Siri off:

Some other settings you may want to consider while you’re about it, as configured in the screenshot above (yes, that’s a Naked Security iPhone):

  • Set Require Passcode to Immediately.
  • Turn off everything you can under Allow Access When Locked.
  • Enable Erase Data after 10 failed passcode attempts.

How to turn Siri off altogether

siri-off-altogether-1000

You may want to go all the way, and turn Siri off altogether.

Go to Settings | General | Siri and toggle to off:

Source: nakedsecurity.sophos.com