Apple is out iOS 15 Monday and there is already a vulnerability going around.
Security researcher Jose Rodriguez posted a video on Monday explaining how he was able to bypass the lock screen on an iPhone with iOS 15 (and iOS 14.8) in order to access the Notes app.
The vulnerability requires that an attacker have physical access to the targeted device.
In the video, with his iPhone locked, Rodriguez asks Siri to activate VoiceOver, a feature that audibly describes what’s on the screen. He then pulls down the Control Center and taps Instant Notes, which allows users to quickly take a note without unlocking the iPhone. Rodriguez then accesses the control center again, this time opening the stopwatch app.
From there, Rodriguez touches a few areas of the screen with the stopwatch app open, but VoiceOver describes the actions of the Notes app. Eventually, he navigates to a note saved in the Notes application, and VoiceOver begins reading it to him.
This note is not meant to be accessible with the iPhone locked.
From there, he can copy the note, including links and attachments, using the VoiceOver rotor.
Rodriguez then begins to present all the ways he can access the content. He declines a call, then opens the Custom Messages option and pastes the contents of the note. It is also able to send the contents of the note in response to a message that it also receives.
Again, all of this happens without unlocking the iPhone.
The exploit is certainly not a good one, but there are a number of features that the iPhone must have previously enabled to be vulnerable to this bug.
According to AppleInsider, for the exploit to work, the targeted iPhone must also have Siri enabled. Additionally, iPhone must have Control Center enabled in the lock screen and Notes and Clock commands added to Control Center.
Additionally, password protected notes are not affected by this vulnerability.
In order for the attacker to export Notes content from locked iPhone, the phone number associated with the targeted device must be known so that a secondary device can contact it.
However, Rodriguez also shows how to share the locked iPhone phone number with an attacker’s phone so that they can receive Notes content.
Opening an instant note from the control center, Rodriguez types “tel: (attacker’s phone number)”. He highlights the text and chooses “Copy phone number” from the drop-down menu. It then pastes the copied text into the note where it appears as a link.
Normally, clicking on this link will instruct iPhone to call the number. However, a locked iPhone will ask for a passcode before doing so. In Rodriguez’s video, he presses the cursor next to the linked number to switch to the pop-up and chooses the “Open Link” option, which bypasses the passcode and places the call.
Rodriguez told Mashable that he is sending us the video and making the exploit public on his YouTube channel in order to shed light not only on the vulnerability, but also on Apple’s bug bounty system.
A recent report speak Washington post finds other security researchers echoing their dissatisfaction with Apple’s bug bounty program. Security researchers say other tech companies like Google and Microsoft communicate and pay much better than Apple.
The researcher says he previously reported a “bigger problem” to Apple and believes he has not received adequate payment in accordance with the company’s own policy.
Rodriquez, who has a knack for finding lock screen workarounds, has previously reported other exploits, CVE-2021-1835 and CVE-2021-30699. These lock screen vulnerabilities authorized attackers to bypass a lock screen to access messaging apps like WhatsApp on an iPhone.
According to Rodriguez, Apple’s bug bounty program would normally pay “up to $ 25,000” to experience such a feat. He was paid $ 25,000 for the first feat but only $ 5,000 for the second. Rodriguez also says that Apple just “mitigated” the previously reported issues and didn’t fix them, opening the door to its most recent discovery with the Notes app.
Rodriguez did not report the exploit to Apple before posting the video. He says it currently works on both iOS 14.8 and the brand new iOS 15.
Mashable has contacted Apple for comment, and we’ll update this post if we have a response.