Skip to main content

iOS 15: Disgruntled researcher exposes iPhone lockscreen bypass

iPhone 13
(Image credit: Apple)

A security researcher has published details of a new lockscreen bypass technique that can be used to access iPhone content without supplying a passcode or other form of authentication.

The technique abuses quirks in Apple’s Siri and VoiceOver services and could allow an attacker to retrieve information stored in the iPhone Notes app, in which users have been known to store account credentials and other sensitive information.

In a tweet published last week, researcher Jose Rodriguez explained the vulnerability is present in iOS 14.8 and the pre-launch iOS 15 release candidate. He has since also confirmed that the public iOS 15 build, which arrived yesterday, suffers from the same problem.

Apple bug bounty controversy

According to Rodriguez, the decision to disclose the iPhone bug on iOS 15 launch day was a very deliberate one, made in protest of the standard of the Apple bug bounty program.

This is the second time Rodriguez has discovered an iPhone vulnerability of this sort. In a previous instance, he reported the issue directly to Apple, but was unimpressed by the way in which the company handled his disclosure and the compensation he received.

“Apple values reports of issues like this up to $25,000,” he wrote, in reference to the latest vulnerability. “But for reporting a more serious issue I was awarded with $5,000.”

In a later tweet, he explained he had decided to disclose the new vulnerability publicly “in hopes Apple realizes it is being tightwad rewarding security bug reports, and reconsider the bounties (sic)”. 

This is not the first time in recent weeks the company’s bug bounty program has come under fire. Earlier this month, reports emerged of a massive backlog of unfixed bugs and general frustration among security professionals who have engaged with Apple.

TechRadar Pro has asked Apple for comment on the criticisms of its program, but the company is yet to respond.

Via TheRecord

Joel Khalili

Joel Khalili is a Staff Writer working across both TechRadar Pro and ITProPortal. He's interested in receiving pitches around cybersecurity, data privacy, cloud, storage, internet infrastructure, mobile, 5G and blockchain.