A new iPhone 6s/6s Plus passcode bypass flaw is making its rounds on the internet today, and it’s similar to flaws we’ve seen in the past on iOS. Don’t be overly alarmed, though, as the odds of this happening to you are slim. Besides, if you are concerned, there are some bonafide ways to go about protecting yourself.
The bypass only works on the iPhone 6s and iPhone 6s Plus, because those devices feature 3D Touch, which is used for this particular variant of the passcode bypass trick. The flaw is present in the latest iOS 9.3.1 update.
Here’s how to test the passcode bypass
Step 1: Lock your device.
Step 2: Invoke Siri and say “Search Twitter”.
Step 3: Once Siri asks what to search for, say: “at-sign yahoo dot com” or any other popular email domain. The goal is to find a tweet containing a valid email address.
Step 4: Once the search results are returned, tap on a tweet with a valid email address.
Step 5: 3D Touch the email address to bring up the contextual menu.
Step 6: Tap Create New Contact → add photo in order to view the photos on device. You may be asked to give Siri access to the Photo Library. You can also view contacts on device by use the Add to Existing Contact option instead.
Video walkthrough
How to protect yourself
Protect photos
You can disable Siri access to photos, which will prevent people from using the Create New Contact → add photo option mentioned above in step 6. To do so, go to Settings → Privacy → Photos and disable the Siri switch. This setting may only appear if you’ve already given Siri access to your photos as outlined in step 6 above. Unfortunately, this won’t prevent people from seeing your contacts, so if this is a concern, see the alternative security method below.
Disable Siri on the Lock screen
You can outright disable access to Siri from the Lock screen, stopping this passcode bypass method before it even begins. To do so, go to Settings → Touch ID & Passcode and disable the Siri switch under the allow access when locked heading. This is the more drastic step that eliminates the ability to use Siri altogether while at the Lock screen, so understand the consequences that this could have on your workflow.
You can also rest easy knowing that if your iPhone reboots or encounters a Touch ID grace period time out, you’ll need to verify your passcode before using Siri. Chances are, you’ll never have to worry about your privacy being breached by means of this bypass. That said, you should be aware that such a thing exists, and more importantly, how to go about protecting yourself should the need arise.
FTC: We use income earning auto affiliate links. More.
Thanks for letting us know about this. Shame this bug made it through to the release, especially after all that has been going on recently.
IMHO there’s really no reason to have Siri enabled on the lock screen if your device has Touch ID anyway; I’ve had it turned off for ages, since the previous password bypass bugs.
I don’t know why apple doesn’t use the fingerprint scanner to forbid any other finger from working, even to activate SIRI, or at least it should be an option. Any other finger would only access to emergency calls.
I routinely use Hey Siri while driving. So, its useful for me to have it enabled on lock screen.
If I need to do that, I use my Apple Watch.
Terrific. I don’t have an Apple Watch.
Well get one :) They just lowered the price on the Sport model :) :)
Not yet. Maybe when they’re self-contained but maybe not. I do wear analog wrist watches but I don’t need notifications on my wrist.
This doesn’t seem to work for me. It prompts me to unlock my iPhone. It only works when I put myfinger on the home button, which essentially unlocks the phone. Anybody have the same issue? I have a 6s on 9.3.1
This works because Touch ID unlocks your iPhone while you put your finger on the home button to invoke Siri. I tried it doing “Hey, Siri” and brought up the passcode interface and told me “You’ll need to unlock your iPhone first”.
Test more next time, please.
I respectfully disagree. Fingernails don’t have fingerprints, and I used my fingernail to invoke Siri. I can make a video if you would like, although that would be unnecessary. Trust me, I tested this thoroughly.
It works u just tried it. Use a finer that isn’t registered with Touch ID or use “hey Siri”. This bug 100% works
False. It works because Siri has been given access to Twitter while the phone is locked. I’m willing to bet you either have the Siri switch turned off in Twitter or not enabled at all. Next time try understanding why something works or doesn’t before you speak down to someone.
Come on Apple – get your sh… together.
but – your lock screen should have everything accessible in the lock screen turned off for security to begin with.
Siri having full access to your iPhone is a security risk.
Always disabled Siri on lock screen. Otherwise, you can simply ask Siri to take you home and it will show your home address. Too scary if some creepy stranger got a hold of your phone…
I tried what you said, it wanted me to Unlock my Phone. So, a stranger getting hold of your phone and asking it this will not work.
It’s also working on my iPhone 6 9.3.1 :o
this only works on the 6s and 6s plus and the settings are off by default. You go to settings, twitter and uncheck Siri if it has been turned on.
“making its rounds on the internet” is not a very precise indication of the source of this information (VBarraquito, https://www.youtube.com/watch?v=Jk7GaO_vAW8). Mentioning the source is a must and a site of this size should care more about these important details.
wow, apple does not seem to stop failing QA cycles every single time…
It’s sort of an Internet rule: Every post needs a comment from “that guy.” Congratulations, you’re “that guy” for this post. But, hey, the day is young. ;)
It would be nice if during the public betas this was found – but the problem here is that is not a lock screen as the name would implied. The screen needs to:
-Allow 911 calls
-Allow notifications (reminders, passbook, etc)
-Respond to Siri (if enabled)
-Answer phone calls and facetime
-Play audio
-Allow navigation apps (google/apple maps, etc)
-Allow Apple pay
-Allow Photos app
-Allow control center
Yeah, this doesn’t work. It tells me I have to unlock first.
Watch the video.
Have you tried it searching WhatsApp instead of Twitter? The same venerability is supposed to work there.
When you look at Settings under Twitter is Siri enabled? By default Siri for Twitter is supposed to be disabled making this flaw not work.
What iPhone do you have? It only works on the 6s and 6s plus.
Are we forgetting that always on “Hey Siri” is trained to only respond to one voice when set up. Does this hack only work with that voice? I know this isn’t fully secure, but the person would have to do a good impression of my voice to get in.
I perhaps forgot that pressing the button overrides the voice matching… ;(
WHEN YOU ACTIVATE SIRI, TOUCH ID IDENTIFIES YOUR FINGERPRINT, IT’S A FAKE PROBLEM
Please read, then yell. Better yet, please read.
OOOPS!!!
Here we go again – yet another Apple lock screen foul up.
Here’s two ideas for Apple –
1) Instead of investing all their time and effort protecting me against a (non-existent) threat from the FBI/NSA/GCHQ/NCA etc – work harder on protecting me against simple, real threats like this.
2) It’s a lock screen. I can go from lock screen to home screen with zero effort now we have touch-id. About time we had a nice simple option to have a lock screen with absolutely nothing acting as a potential back door. Jeff tells us how to turn off siri on lock screen – and mine was already off – but I can’t see a way to turn off e.g. camera app. Time has come for us to have the option for it to be JUST a lock screen.
I have an iPhone 6s with 9.3.1, and Siri is not even an option under Settings → Privacy → Photos for me. I don’t much care, but that seemed odd.
NM
Seems I had to run through this to get the “Grant Siri access to Photos” thing for the first time. When I agree, this “hack” indeed does work.
It doesn’t matter how I invoke Siri, it tells me that I need to unlock my phone first. It does not works for me, yay.
iPhone 6s on 9.3.1
I have the 6s Plus, with an alphanumeric password. When I try to search Twitter, Siri automatically asks me to unlock my iPhone first.
I have a 6s and when I invoke Siri using “Hey Siri” or using a non-Touch ID finger, it asks me to unlock the phone when I say “Search Twitter”
Me too. It just doesn’t work. And I have Siri allowed access to Twitter. Tried it on gf phone as well, she has simple passcode and Twitter access, it keeps asking for passcode. These are both iPhone 6s on iOS 9.3.1
1) Siri ask me to unlock my phone.
2) I don’t see the option to give Siri access to my twitter account
3) I don’t see the option to give Siri access to my photos
If you try this when the phone is unlocked, the first time you give the command Siri will ask for “access to your Twitter account to personalize results.” Once you grant this it will both allow the “glitch” to work and you will see the toggle for siri in photos and Twitter under settings.
Hardly a glitch when it relies on you giving Siri access to something from the lock screen. I haven’t allowed her this and therefore the glitch doesn’t work on my phone, go figure ;)
looks like this news are flawless, I can not simulate it in my iPhone 6s, anything i try to do wth siri, ask me 1st to unlock the phone :)
You can also disable the switch in Twitter settings thus solving the security hole without having to take the drastic and unnecessary step of disallowing Siri from the lock screen completely….
Hardly a “Glitch”
Chris: the point is that this is “open” on a stock install of iOS. You don’t see the problem with that?