Apple released iOS 15 on Monday and there’s already a vulnerability making the rounds.
Security researcher Jose Rodriguez published a video Monday detailing how he was able to bypass the lock screen on an iPhone with iOS 15 (and iOS 14.8) in order to access the Notes app.
The vulnerability requires an attacker to have physical access to the targeted device.
In the video, with his iPhone locked, Rodriguez asks Siri to activate VoiceOver, a feature that audibly describes what’s on the screen. He then pulls down the Control Center and taps Instant Notes, which allows users to quickly jot down a note without unlocking the iPhone. Rodriguez then accesses the Control Center again, this time opening the stop watch app.
From there, Rodriguez taps on a few areas of the screen with the stop watch app open but the VoiceOver is describing Notes app actions. Eventually, he access a saved note in the Notes app and VoiceOver starts reading it to him.
This note is not supposed to be accessible with the iPhone locked.
From there, he’s able to copy the note, including links and attachments, using the VoiceOver rotor.
Rodriguez then begins to showcase all of the ways he’s able to access the content. He declines a call and then opens the custom Messages option and pastes the note’s content. He’s also able to send the content of the note in reply to a message he receives as well.
Again, this is all occurring without unlocking the iPhone.
The exploit is certainly not good, but, there are a number of features the iPhone needs to have had previously enabled in order to be vulnerable to this bug.
According to AppleInsider, in order for the exploit to work, the targeted iPhone must have Siri activated as well. In addition, the iPhone must have Control Center enabled in the lock screen and the Notes and Clock controls added to the Control Center.
Also, password-protected notes are not affected by this vulnerability.
For the attacker to export the Notes content from the locked iPhone, the phone number attached to the targeted device must be known so a secondary device can contact it.
However, Rodriguez also shows how you can share the locked iPhone’s phone number with an attacker’s phone so they can receive the Notes content.
Opening an Instant Note from Control Center, Rodriguez types “tel: (attacker’s phone number).” He highlights the text and chooses “Copy Phone Number” from the dropdown menu. He then pastes the copied text back into the note where it appears as a link.
Normally, clicking this link will tell the iPhone to call the number. However, a locked iPhone will ask for a passcode before doing so. In Rodriguez’s video, he taps the cursor next to the linked number toggles through the pop-up and chooses the “Open Link” option, which bypasses the passcode and places the call.
Rodriguez told Mashable he was sending the video to us and making the exploit public on his YouTube channel in order to not only shine a light on the vulnerability, but Apple’s bug bounty system as well.
A recent report by the Washington Post finds other security researchers echoing their dissatisfaction with Apple’s bug bounty program. Security researchers claim other tech companies like Google and Microsoft communicate and pay much better than Apple.
The researcher claims he previously reported a “more serious issue” to Apple and feels he wasn’t paid an adequate payout according to the company’s own policy.
Rodriquez, who has a knack for finding lock screen bypasses, previously reported other exploits, CVE-2021-1835 and CVE-2021-30699. These lock screen vulnerabilities allowed attackers to bypass a lock screen to access messaging apps like WhatsApp on an iPhone.
According to Rodriguez, Apple’s bug bounty program would normally pay “up to $25,000” for discovering such an exploit. He was paid $25,000 for the first exploit but only $5,000 for the second. Rodriguez also says that Apple just “mitigated” the previously reported issues and didn’t fix them, opening the door for his most recent discovery with the Notes app.
Rodriguez did not report the exploit to Apple before publishing the video. He says it currently works on both iOS 14.8 and the newly released iOS 15.
Mashable has reached out to Apple for comment, and we will update this post if we hear back.