The iOS mobile platform has been subject to numerous lock screen bypass vulnerabilities across multiple versions during the last years. Although Apple strives to fix these vulnerabilities through various iOS updates (https://support.apple.com/en-us/HT201222), it is important for information and cyber security professionals, and pen-testers, to pay close attention to the current unfixed lock screen bypass scene at any given time, evaluate its risks, and promote enforcing physical security and tight access controls on iOS devices.
Shameless plug: If you are interested in this kind of technical details and want to learn more, Raul Siles will be teaching future SANS courses, such as the 6-day "SANS SEC575: Mobile Device Security and Ethical Hacking" course in:
Many pen-testers tend to focus more on traffic or network activity analysis and attacks, Mobile Device Management (MDM) and back-end systems auditing, jailbreaking or rooting opportunities, or in-depth mobile applications analysis, leaving unattended scenarios with unauthorised physical access to a target device, or the stolen or loss device threat. However, real incidents constantly confirm unattended or stolen devices with a lock screen bypass vulnerability are a serious threat that should be included, or at least evaluated, when scoping a mobile pen testing assessment.
Throughout the years, I've been researching, testing, and collecting a list of all these iOS lock screen bypass vulnerabilities for pen testing engagements, security presentations, and training sessions. Some of them are related to other hardware components, such as the SmartCover or the SIM card, while others are purely driven by new software features and capabilities, such as Siri, VoiceOver or the new Control Center introduced since iOS 7. Some issues impact only iPads or just iPhones, while others affect them all. History ratifies it is hard for Apple to fully mitigate this threat, as the attack surface is significantly wide, and it even increases with newer versions of the iOS platform.
The following list summarises the history of all the lock screen bypass vulnerabilities that iOS has suffered from iOS 5 to the most recent iOS version (until the last update :-). It also includes links to demos and/or videos associated with each vulnerability. The vulnerabilities have been classified based on the iOS version that provides the appropriate fix. Therefore, iOS versions earlier than the one providing the fix are potentially effected by each vulnerability.
The official number of screen lock bypass related vulnerabilities addressed in each major iOS (and since September 2019, in iPadOS) version are:
- iOS 5.x: 4 vulnerabilities.
- iOS 6.x: 8 vulnerabilities.
- iOS 7.x: 12 vulnerabilities.
- iOS 8.x: 11 vulnerabilities.
- iOS 9.x: 6 vulnerabilities.
- iOS 10.x: 10 vulnerabilities.
- iOS 11.x: 10 vulnerabilities.
- iOS 12.x: 8 vulnerabilities.
- iOS 13.x: 4 vulnerabilities.
- iOS 14.x: 7 vulnerabilities.
- iOS 15.x: 11 vulnerabilities.
- iOS 16.x: 10 vulnerabilities.
- iOS 17.x: 12 vulnerabilities.
- iOS 18.x: 4 vulnerabilities (officially, so far!!!).
iOS Lock Screen Bypass Vulnerability History
The following list has been sorted by iOS version, starting first with a list of generic lock screen bypasses with no officially recognised CVE associated to them (only for this generic section, entries are sorted by date and the iOS version specified refers to the vulnerable iOS version):- Generic, not officially recognised by Apple, or still unfixed lock screen bypasses (the iOS version specified for each flaw is the latest version known to be vulnerable):
- Siri (iOS 5, iPhone 4S, Oct 2011): Full phone interaction via Siri and voice commands (send e-mails, make calls, calendar and contacts access, etc); could be avoided disabling Siri via Settings. Ref: http://www.triskt.com/word/2011/10/18/ios-5-siri-authentication-bypass/ Video: http://www.youtube.com/watch?v=UM0Ee4KW5-I
- Digital picture frame (iOS 5, iPad, Oct 2011): Access to all photos from the lock screen; could be disabled via Settings. The digital picture frame is not available anymore since iOS 7. Ref: http://www.groovypost.com/howto/apple-ios-5-security-lock-down-private-photos-picture-frame/
- Phone & Contacts access due to a race condition in SIM card insertion (iOS 5.0.1, iPhone, Feb 2012). Ref: http://www.cultofmac.com/147700/ios-5-security-flaw-allows-access-to-contacts-list-recent-calls-text-messages-without-passcode/ Video: http://www.youtube.com/watch?v=Vhy9_bYVIwk (5.0) Video: http://www.youtube.com/watch?v=eFfDR1T6mMg (5.0.1) Video: http://www.youtube.com/watch?v=IZqY1VaMr_A
- Quick camera access (iOS 5.1, iPhone 4S, Mar 2012): Allows taking pictures; camera icon also available in iOS 5 by double-pressing the Home button. This vulnerability still applies today to iOS 7 and can only be mitigated by restricting access to the camera via Settings. Ref: http://www.cnet.com/how-to/access-the-iphone-camera-from-the-lock-screen-even-quicker-on-ios-5-1/
- Emergency dialer screen (iOS 5.1.1, Jul 2012). Video: http://www.youtube.com/watch?v=12OoO9IdBH4
- Access to photos via Control Center - Calculator (iOS 7 beta 1, Jun 2013). Video: http://www.youtube.com/watch?v=tTewm0V_5ts
- Brute force attacks against incorrect passcode restrictions in Settings (iOS 6, iPad, Jun 2013). Ref: http://www.journaldulapin.com/2013/06/04/brute-force-attack-against-restrictions-code-is-possible-on-ios/ Video: http://www.youtube.com/watch?v=C6md792nMhY
- Apple Touch ID bypass (iOS 7, iPhone 5S, Sep 2013). Ref: http://ccc.de/en/updates/2013/ccc-breaks-apple-touchid Video: http://vimeo.com/75324765
- Make calls via Voice Control (iOS 7, Apr 2014): Siri has to be disabled. Video: http://www.youtube.com/watch?v=0CNh_j46byA
- Bypass time delay for incorrect passcode attempts via iTunes Sync (iOS 7.0-7.1.2, Jun 2014). Video: http://www.youtube.com/watch?v=_rT7o_IXehk
- Exceed the maximum number of failed passcode attempts from the Settings app by setting forward the current time (related to Settings but not to the lock screen; iOS 8.1, Oct 2014). Ref: http://phonerebel.com/new-ios-8-1-bypass-discovered/ Video: https://www.youtube.com/watch?v=JY-SbkwZuxU
- Airplane mode via Control Center and missed call in Notification Center (iOS 7.1.1/7.1.2, Aug 2014): Access to last open app. Ref: http://phonerebel.com/how-to-bypass-ios-7-lockscreen/ Video: http://www.youtube.com/watch?v=Hg9Vy7XzGZY Although the official security content for iOS 8 does not mention a specific fix for this issue, in iOS 8 the vulnerability cannot be exploited. When the missed called notification is selected in airplane mode, it is removed from the Notification Center and the following message is displayed in the lock screen:
- Passcode "Merge App Service" bypass & Siri (iOS 7.1.2, Sep 2014). Video: http://www.youtube.com/watch?v=9gBtJ5tyRgI
- ("Voice hacking") Several information leakages via Siri (iOS 7 & iOS 8, Sep 2014): Post to Facebook, get contact details, see call history last 25), listen recent messages, and get full access to notes. It can be mitigated disabling Siri in the lock screen via Settings. Video: https://www.youtube.com/user/videosdebarraquito/videos Video: http://www.youtube.com/watch?v=NTA8k4tyY78
- Access to message creation, contacts and photos via Control Center and the Clock app (Alarm) when rotation is on (iOS 9 Beta 3, Jul 2015). It can be mitigated disabling Control Center in the lock screen. Video: https://www.youtube.com/watch?v=KEwZSpWT3sI Video: https://www.youtube.com/watch?v=_rAlOHo8f6I
- Siri lock screen bypass (iOS 10.0.1). Video: https://www.youtube.com/watch?v=EVO8ziXT79g
- Access to iMessages, contacts and photos via a FaceTime (or phone) call, a custom message and Siri (plus VoiceOver). Again, this bypass can be mitigated disabling Siri in the lock screen (iOS 10.1.1 & 10.2Beta3 in iPhones and iPads, the discontinued iOS 9.3.5 - iPhone 4S, and back to iOS 8.3...). Video: https://www.youtube.com/watch?v=LWJG5I8xCDU Video: https://www.youtube.com/watch?v=hP3BMyrFBSs (Fixed in iOS 10.2, but not in previous iOS 9.x, or below, versions).
- Siri allows accessing (by reading) the content of (hidden, via "show previews") notifications for third party apps from the lock screen (iOS 11.3 beta - March 20, 2018; similar to CVE-2017-13805 for iOS 11.1). Ref: https://macmagazine.com.br/2018/03/20/bug-de-privacidade-do-ios-faz-a-siri-ler-notificacoes-escondidas-na-tela-bloqueada/ Ref: https://www.macrumors.com/2018/03/22/apple-to-fix-siri-reading-hidden-notifications/
- iOS 11.x passcode bypass services and/or products (iOS 11.3?):
- Cellebrite 'Advanced Unlocking and Extraction Services': https://www.forbes.com/sites/thomasbrewster/2018/02/26/government-can-access-any-apple-iphone-cellebrite (https://media.cellebrite.com/wp-content/uploads/2017/12/advanced-unlocking-extraction-datasheet-jan2018.pdf)
- Grayshift GrayKey: https://blog.malwarebytes.com/security-world/2018/03/graykey-iphone-unlocker-poses-serious-security-concerns/ & https://www.forbes.com/sites/thomasbrewster/2018/03/05/apple-iphone-x-graykey-hack/ & https://motherboard.vice.com/en_us/article/vbxxxd/unlock-iphone-ios11-graykey-grayshift-police (https://graykey.grayshift.com)
- iOS 12.1: Access to contacts via Siri, FaceTime and airplane mode from the lock screen. Video: https://www.youtube.com/watch?v=ojigFgwrtKs (Fixed in iOS 12.1.1).
- Fake iOS 14.5.1 bypass: Unlocking iOS 14.5.1 without knowing the passcode using the calculator via Control Center. PoC in a TikTok video by imnotjs3: https://www.tiktok.com/@imnotjs3/video/6938226042696109318.
- The PoC is fake, as the mobile device is automatically unlocked by Face ID with a legitimate face while in the Control Center screen and interacting with the calculator.
- If the calculator remains in portrait mode, it means Face ID didn't authenticate a legitimate user. If the calculator goes to landscape mode, it means Face ID unlocked the device with a legitimate user.
- iOS 14.8 / iOS 15RC / iOS 15: Lock screen bypass via Siri and Voice Over (again) allows accessing Notes and other sensitive information.
- https://twitter.com/VBarraquito/status/1438186052808757256 (Video: https://www.youtube.com/watch?v=5L2uVg8FDBs). Details: https://therecord.media/researcher-discloses-iphone-lock-screen-bypass-on-ios-15-launch-day/, https://mashable.com/video/apple-ios-15-lock-screen-bypass-notes
- (Sep 2021) This new Siri and Voice Over lock screen bypass was not officially recognised by Apple, until iOS 15.0.1 (with no attribution initially: Oct 1 to 25, 2021).
- iOS 5.0 (Oct 2011): http://support.apple.com/kb/HT4999
- Home Screen switching between apps (CVE-2011-3431)
- iOS 5.0.1 (Nov 2011): http://support.apple.com/kb/HT5052
- SmartCover (iPad 2 - CVE-2011-3440; SmartCover functionality could be disabled via Settings). Video: http://www.youtube.com/watch?v=NLgQ22naQhE
- iOS 5.1 (Mar 2012): http://support.apple.com/kb/HT5192
- Race condition in gestures to bypass lock screen (CVE-2012-0644)
- Siri in lock screen allows e-mail access (CVE-2012-0645) •
- iOS 5.1.1 (May 2012): http://support.apple.com/kb/HT5278
- N/A
- iOS 6 (Sep 2012): http://support.apple.com/kb/HT5503
- Access to last used app (CVE-2012-3735)
- Screen lock bypass via termination of FaceTime calls (CVE-2012-3736)
- Access to photos by spoofing the current time (CVE-2012-3737): Since iOS 5 (iPhone, Dec 2011), photos & videos access from lock screen due to incorrect time setting. Ref: http://peekay.org/2011/12/31/incorrect-time-setting-could-leak-ios-5-album-pictures/
- Perform FaceTime calls and Contacts disclosure (CVE-2012-3738): Since iOS 5.0.1 (iPhone, Feb 2012), Voice Control from the emergency dialer screen allows access to Contacts (enumeration) and make FaceTime calls. Ref: http://peekay.org/2012/02/05/more-fun-with-locked-iphone-4/
- Screen lock bypass via camera (CVE-2012-3739)
- Screen lock bypass (CVE-2012-3740)
- iOS 6.0.1 (Nov 2012): http://support.apple.com/kb/HT5567
- Passbook passes access (CVE-2012-3750). Ref: http://www.amsys.co.uk/2012/blog/passbook-a-security-flaw/
- iOS 6.1 (Jan 2013): http://support.apple.com/kb/HT5642
- N/A
- iOS 6.1.3 (Mar 2013): http://support.apple.com/kb/HT5704
- Emergency calls (CVE-2013-0980). Ref: http://www.zdnet.com/iphone-ipad-lock-screen-bypass-fixed-but-34-days-too-late-7000012829/ Video: http://www.youtube.com/watch?v=sVV9S17mZpw Video: http://www.youtube.com/watch?v=MDkLpj3MM-c & iTunes Sync: Ref: http://www.vulnerability-lab.com/get_content.php?id=875 Video: http://www.youtube.com/watch?v=oKOj0GMf810
- iOS 6.1.6 (Feb 2014): http://support.apple.com/kb/HT6146
- N/A
- iOS 7 (Sep 2013): http://support.apple.com/kb/HT5934
- Screen lock bypass via SIM card ejection (CVE-2013-5147): via Voice Control. Video: http://www.youtube.com/watch?v=QCGJTuTZf8M
- View notifications in Lost Mode (CVE-2013-5153)
- iOS 7.0.2 (Sep 2013): http://support.apple.com/kb/HT5957
- Make calls to any number (CVE-2013-5160). Video: http://www.youtube.com/watch?v=L_1Tary_Qoc
- Recently used apps & photos (CVE-2013-5161). Video: http://www.youtube.com/watch?v=tTewm0V_5ts
- iOS 7.0.3 (Oct 2013): http://support.apple.com/kb/HT6010
- Make calls to any number from the emergency dialer screen (CVE-2013-5144). Video: http://www.youtube.com/watch?v=7DbdRChmFFg Video: http://www.youtube.com/watch?v=AUlhgsgRaXw
- Bypass time delay for incorrect passcode attempts (CVE-2013-5162)
- Access & Call arbitrary contacts via Siri and Facetime (CVE-2013-5164). Video: http://www.youtube.com/watch?v=fVpfdYYy1Dg Video: http://www.youtube.com/watch?v=AUlhgsgRaXw
- iOS 7.0.4 (Nov 2013): http://support.apple.com/kb/HT6058
- N/A
- iOS 7.0.6 (Feb 2014): http://support.apple.com/kb/HT6147
- N/A
- iOS 7.1 (Mar 2014): http://support.apple.com/kb/HT6162
- FaceTime contacts (CVE-2014-1274). Video: http://www.youtube.com/watch?v=xYuO9k0_WBA
- Springboard during activation (CVE-2014-1285). Video: http://www.youtube.com/watch?v=FEC_s800A5A
- SpringBoard Lock Screen DoS (CVE-2014-1286)
- Disable 'Find My iPhone' w/o iCloud credentials (CVE-2014-2019). Video: http://www.youtube.com/watch?v=QnPk4RRWjic
- iOS 7.1.1 (Apr 2014): http://support.apple.com/kb/HT6208
- N/A
- iOS 7.1.2 (Jun 2014): http://support.apple.com/kb/HT6297
- Access to contacts & make calls via Siri (CVE-2014-1351). Video: http://www.youtube.com/watch?v=6cHZBk-eKps
- iOS 8.0 (Sep 2014): http://support.apple.com/kb/HT6441
- AssistiveTouch (CVE-2014-4368)
- Determine which app is frontmost (CVE-2014-4361)
- Home screen available during activation lock (CVE-2014-1360)
- Text message previews (CVE-2014-4356)
- iOS 8.0.1 (Sep 2014): :-D
- iOS 8.0.2 (Sep 2014): http://support.apple.com/kb/DL1758
- N/A
- iOS 8.1 (Oct 2014): https://support.apple.com/kb/HT6541
- N/A
- iOS 8.1.1 (Nov 2014): https://support.apple.com/en-us/HT6590
- Exceed the maximum number of failed passcode attempts (CVE-2014-4451 - affects iOS 6, 7 & 8). Ref: http://technicalnotebook.com/software-bugs/apple-ios-bug-allowing-unlimited-incorrect-pin-attempts/ Ref: http://www.darthnull.org/2014/11/18/ios-lockout-bypass Video: https://www.youtube.com/watch?v=2Bok9Zgas6g
- iP-BOX is a hardware unlocking device that can be used to defeat 4 digit PINs in iOS devices (More technical details at TeelTech).
- Access photos in the Photo Library via Leave a Message in FaceTime (CVE-2014-4463). Video: http://phonerebel.com/new-bypass-ios-8-1-lockscreen-access-photos-iphone-ipad-ipod-touch/
- iOS 8.2 (March 2015): https://support.apple.com/en-us/HT204423
- Springboard: Home screen available during activation (CVE-2015-1064)
- iOS 8.3 (April 2015): https://support.apple.com/en-us/HT204661
- QuickType (displayed on the lockscreen) could learn users' passcodes (CVE-2015-1106)
- Prevent erasing the device after failed passcode attempts (CVE-2015-1107)
- An attacker may exceed the maximum number of failed passcode attempts (CVE-2015-1108)
- iOS 8.4 (June 2015): https://support.apple.com/en-us/HT204941
- N/A
- iOS 8.4.1 (August 2015): https://support.apple.com/en-us/HT205030
- An attacker may be able to accept untrusted certificates from the lock screen (CVE-2015-3756)
- iOS 9.0 (Sep 2015): https://support.apple.com/en-us/HT205212
- Access notifications of content that is set not to be displayed at the lock screen via Siri (CVE-2015-5892)
- Reply to audio messages from the lock screen when message previews are disabled (CVE-2015-5861)
- iOS 9.0.1 (Sep 2015): https://support.apple.com/kb/DL1842
- N/A
- iOS 9.0.2 (Sep 2015): https://support.apple.com/en-us/HT205284
- Access to message creation, contacts and photos via Siri and a race condition in the lock screen via the Clock app (CVE-2015-5923). It can be mitigated disabling Siri in the lock screen via Settings. Video (9.0): https://www.youtube.com/watch?v=_giVIDKwRr4 Video (9.0.1): https://www.youtube.com/watch?v=wl4aoGSZbPc
- iOS 9.1 (Oct 2015): https://support.apple.com/en-us/HT205370
- Phone and Messages notifications may appear on the lock screen even when disabled (CVE-2015-7000)
- iOS 9.2 (Dec 2015): https://support.apple.com/en-us/HT205635
- Siri allows reading notifications of content that is set not to be displayed at the lock screen (CVE-2015-7080)
- iOS 9.2.1 (Jan 2016): https://support.apple.com/en-us/HT205732
- N/A
- iOS 9.3 (Mar 2016): https://support.apple.com/en-us/HT206166
- N/A
- iOS 9.3.1 (Apr 2016): https://support.apple.com/en-us/HT206225
- N/A
- iOS 9.3.2 (May 2016): https://support.apple.com/en-us/HT206568
- Siri allows accessing contacts and photos from the the lock screen (CVE-2016-1852)
- iOS 9.3.3 (Jul 2016): https://support.apple.com/en-us/HT206902
- N/A
- iOS 9.3.4 (Aug 2016): https://support.apple.com/en-us/HT207026
- N/A
- iOS 9.3.5 (Aug 2016): https://support.apple.com/en-us/HT207107
- N/A
- iOS 10.0 (Sep 2016): https://support.apple.com/en-us/HT207143
- N/A
- iOS 10.0.1 (Sep 2016): https://support.apple.com/en-us/HT207145
- N/A
- iOS 10.0.2 (Sep 2016): https://support.apple.com/en-us/HT207199
- N/A
- iOS 10.0.3 (Oct 2016): https://support.apple.com/en-us/HT207263
- N/A
- iOS 10.1 (Oct 2016): https://support.apple.com/en-us/HT207271
- N/A
- iOS 10.1.1 (Oct 2016): https://support.apple.com/kb/HT207287
- N/A
- iOS 10.2 (Dec 2016): https://support.apple.com/en-us/HT207422
- Access to photos and contacts (and iMessages) from the lock screen via a FaceTime (or phone) call, a custom message and Siri, plus VoiceOver (CVE-2016-7664). Video: https://www.youtube.com/watch?v=LWJG5I8xCDU
- The device does not lock the screen after the idle timeout when the Touch ID prompt is shown (CVE-2016-7601).
- Access to photos and contacts from the lock screen due to a validation issue in the handling of media selection (CVE-2016-7653).
- Device can be unlocked due to a counter issue in the handling of passcode attempts when resetting the passcode (CVE-2016-4781).
- Device can remain unlocked due to a cleanup issue in the handling of Handoff with Siri (CVE-2016-7597).
- iOS 10.2.1 (Jan 2017): https://support.apple.com/en-us/HT207482
- Auto Unlock may unlock when Apple Watch is off the user's wrist (CVE-2017-2352).
- An activation-locked device can be manipulated via Wi-Fi to present the home screen (CVE-2017-2351).
- iOS 10.3 (Mar 2017): https://support.apple.com/en-us/HT207617
- iCloud authentication prompts may disclose the user's Apple ID from the lock screen (CVE-2017-2397).
- Siri might reveal text message contents while the device is locked (CVE-2017-2452).
- iOS 10.3.1 (Apr 2017): https://support.apple.com/en-us/HT207688
- N/A
- iOS 10.3.2 (May 2017): https://support.apple.com/en-us/HT207798
- N/A
- iOS 10.3.3 (July 2017): https://support.apple.com/en-us/HT207923
- Notifications may appear on the lock screen when disabled (CVE-2017-7058).
- iOS 11.0 (Sep 2017): https://support.apple.com/en-us/HT208112
- A screenshot of secure content may be taken when locking an iOS device (CVE-2017-7139).
- iOS 11.0.1 (Sep 2017): https://support.apple.com/en-us/HT208143
- N/A (empty)
- iOS 11.0.2 (Oct 2017): https://support.apple.com/en-us/HT208164
- N/A (empty)
- iOS 11.0.3 (Oct 2017): https://support.apple.com/en-us/HT208182
- N/A (empty)
- iOS 11.1 (Oct 2017): https://support.apple.com/en-us/HT208222
- A person with physical access to an iOS device may be able to access photos from the lock screen (CVE-2017-13844).
- A person with physical access to an iOS device may be able to use Siri to read notifications of content that is set not to be displayed at the lock screen (CVE-2017-13805).
- iOS 11.1.1 (Nov 2017): https://support.apple.com/en-us/HT208255
- N/A (empty)
- iOS 11.1.2 (Nov 2017): https://support.apple.com/en-us/HT208282
- N/A (empty)
- iOS 11.2 (Dec 2017): https://support.apple.com/en-us/HT208334
- N/A (empty)
- iOS 11.2.1 (Dec 2017): https://support.apple.com/en-us/HT208357
- N/A (empty)
- iOS 11.2.2 (Jan 2018): https://support.apple.com/en-us/HT208401
- N/A (empty)
- iOS 11.2.5 (Jan 2018): https://support.apple.com/en-us/HT208463
- N/A (empty)
- iOS 11.2.6 (Feb 2018): https://support.apple.com/en-us/HT208534
- N/A (empty)
- iOS 11.3 (Mar 2018): https://support.apple.com/en-us/HT208693
- A person with physical access to an iOS device may be able to see the email address used for iTunes via the Clock alarms and timers (CVE-2018-4123)
- File Widget may display contents on a locked device (CVE-2018-4168)
- A person with physical access to the device may be able to disable Find My iPhone without entering an iCloud password when restoring from a back up (CVE-2018-4172)
- iOS 11.4 (Jun 2018): https://support.apple.com/en-us/HT208848
- A person with physical access to an iOS device may be able to view the last image used in Magnifier from the lock screen (CVE-2018-4239)
- A person with physical access to an iOS device may be able to enable Siri from the lock screen (CVE-2018-4238)
- A person with physical access to an iOS device may be able to use Siri to read notifications of content that is set not to be displayed at the lock screen (CVE-2018-4252)
- An attacker with physical access to a device may be able to see private contact information due to an issue with Siri permissions and Contacts (CVE-2018-4244)
- iOS 11.4.1 (July 2018): https://support.apple.com/en-us/HT208938
- N/A (empty)
- iOS 12.0 (Sep 2018): https://support.apple.com/en-us/HT209106
- A person with physical access to an iOS device may be able to determine the last used app from the lock screen (CVE-2018-4325)
- iOS 12.0.1 (Oct 2018): https://support.apple.com/en-us/HT209162
- A lock screen issue allows a potential attacker access to photos and contacts on a locked device via Siri and VoiceOver (CVE-2018-4380). Video: https://www.youtube.com/watch?v=X2yQS1VzmZ0
- A lock screen issue allows a potential attacker accessing the share function (share items) on a locked device via Siri and VoiceOver (CVE-2018-4379). Video: https://www.youtube.com/watch?v=fZh4cM3R0qU
- iOS 12.1 (Oct 2018): https://support.apple.com/en-us/HT209192
- A lock screen issue allows a potential attacker access to photos via Reply With Message on a locked device (CVE-2018-4387). Video: https://www.youtube.com/watch?v=CjiLN2L_v5k
- A lock screen issue allows a potential attacker access to the share function on a locked device (CVE-2018-4388). Video: https://www.youtube.com/watch?v=CjiLN2L_v5k&t=160
- iOS 12.1.1 (Dec 2018): https://support.apple.com/en-us/HT209340
- A lock screen issue allows a potential attacker access to view contacts from the lock screen via FaceTime (CVE-2018-4430). Video: https://www.youtube.com/watch?v=ojigFgwrtKs
- iOS 12.1.2 (Dec 2018): This update has no published CVE entries (https://support.apple.com/en-us/HT201222).
- iOS 12.1.3 (Jan 2019): https://support.apple.com/en-us/HT209443
- N/A (empty)
- iOS 12.1.4 (Feb 2019): https://support.apple.com/en-us/HT209520
- N/A (empty)
- iOS 12.2 (Mar 2019): https://support.apple.com/en-us/HT209599
- N/A (empty)
- iOS 12.3 (May 2019): https://support.apple.com/en-us/HT210118
- A person with physical access to an iOS device may be able to see the email address used for iTunes (CVE-2019-8599).
- iOS 12.4 (Jul 2019): https://support.apple.com/en-us/HT210346
- A user may inadvertently complete an in-app purchase while on the lock screen via Wallet (CVE-2019-8682).
- iOS 12.4.1 (Aug 2019): https://support.apple.com/en-us/HT210549
- N/A (empty)
- iOS 12.4.2 (Sep 2019): https://support.apple.com/en-us/HT2105908
- N/A (empty)
- iOS 12.4.3 (Oct 2019): https://support.apple.com/en-us/HT211134
- N/A (empty)
- iOS 12.4.4 (Dec 2019): https://support.apple.com/en-us/HT210787
- N/A (empty)
- iOS 12.4.5 (Jan 2020): N/A
- iOS 12.4.6 (Mar 2020): N/A
- iOS 12.4.7 (May 2020): https://support.apple.com/en-us/HT211169
- N/A (empty)
- iOS 12.4.8 (Jul 2020): N/A
- iOS 12.5 (Dec 2020): https://support.apple.com/en-us/HT212004
- N/A (empty)
- iOS 12.5.4 (Jun 2021): https://support.apple.com/en-us/HT212548
- N/A (empty)
- iOS 12.5.5 (Sep 2021): https://support.apple.com/en-us/HT212824
- N/A (empty)
- iOS 12.5.6 (Aug 2022): https://support.apple.com/en-gb/HT213428
- N/A (empty)
- iOS 12.5.7 (Jan 2023): https://support.apple.com/en-us/HT213597
- N/A (empty)
- iOS 13.0 (Sep 2019): https://support.apple.com/en-us/HT210606
- A person with physical access to an iOS device may be able to access contacts from the lock screen via Messages (CVE-2019-8742).
- iOS 13.1 (Sep 2019): https://support.apple.com/en-us/HT210603
- A person with physical access to an iOS device may be able to access contacts from the lock screen via Voice Over (CVE-2019-8775). Original video (iOS 13 Beta): https://www.youtube.com/watch?v=7eWJkePoNAU Video: https://www.youtube.com/watch?v=pW0TTnBCA04
- iOS 13.1.1 (Sep 2019): https://support.apple.com/en-us/HT210624
- N/A (empty)
- iOS 13.1.2 (Sep 2019): N/A
- iOS 13.1.3 (Oct 2019): N/A
- iOS 13.2 (Oct 2019): https://support.apple.com/en-us/HT210721
- N/A (empty)
- iOS 13.2.2 (Nov 2019): N/A
- iOS 13.2.3 (Nov 2019): N/A
- iOS 13.3 (Dec 2019): https://support.apple.com/en-us/HT210785
- N/A (empty)
- iOS 13.3.1 (Jan 2020): https://support.apple.com/en-us/HT210918
- A person with physical access to an iOS device may be able to access contacts from the lock screen via Messages (CVE-2020-3859)
- A person with physical access to an iOS device may be able to access contacts from the lock screen via Phone (CVE-2020-3828)
- iOS 13.4 (March 2020): https://support.apple.com/en-us/HT211102
- N/A (empty)
- iOS 13.4.1 (Apr 2020): N/A
- iOS 13.5 (May 2020): https://support.apple.com/en-us/HT211168
- N/A (empty)
- iOS 13.5.1 (Jun 2020): https://support.apple.com/en-us/HT211214
- N/A (empty)
- iOS 13.6 (Jul 2020): https://support.apple.com/en-us/HT211288
- N/A (empty)
- iOS 13.6.1 (Aug 2020): N/A
- iOS 13.7 (Sep 2020): N/A
- iOS 14.0 (Sep 2020): https://support.apple.com/en-us/HT211850
- The screen lock may not engage after the specified time period (CVE-2020-9946).
- A person with physical access to an iOS device may be able to view notification contents from the lock screen (CVE-2020-9959).
- iOS 14.0.1 (Sep 2020): N/A
- iOS 14.1 (Sep 2020): N/A
- iOS 14.2 (Nov 2020): https://support.apple.com/en-us/HT211929
- N/A (empty)
- iOS 14.3 (Dec 2020): https://support.apple.com/en-us/HT212003
- N/A (empty)
- iOS 14.4 (Jan 2021): https://support.apple.com/en-us/HT212146 (updated)
- An attacker with physical access to a device may be able to see private contact information (CVE-2021-1756).
- iOS 14.4.1 (Mar 2021): https://support.apple.com/en-us/HT212221
- N/A (empty)
- iOS 14.4.2 (Mar 2021): https://support.apple.com/en-us/HT212256
- N/A (empty)
- iOS 14.5 (Apr 2021): https://support.apple.com/en-us/HT212317
- An attacker with physical access to a device may be able to access Notes due to a vulnerability in the Accessibility features (CVE-2021-1835).
- iOS 14.5.1 (May 2021): https://support.apple.com/en-us/HT212336
- N/A (empty).
- iOS 14.6 (May 2021): https://support.apple.com/en-us/HT212528
- A local attacker may be able to view Now Playing information from the lock screen (CVE-2021-30756).
- A user may be able to view restricted content in Notes from the lock screen (CVE-2021-30699).
- iOS 14.7 (July 2021): https://support.apple.com/en-us/HT212601
- N/A (empty).
- iOS 14.7.1 (July 2021): https://support.apple.com/en-us/HT212623
- N/A (empty).
- iOS 14.8 (Sep 2021): https://support.apple.com/en-us/HT212807
- N/A (empty).
- iOS 14.8.1 (Oct 2021): https://support.apple.com/en-us/HT212868
- A user may be able to view restricted content from the lock screen via Status Bar (CVE-2021-30918). Tweet: https://twitter.com/VBarraquito/status/1438186052808757256 (Video: https://www.youtube.com/watch?v=5L2uVg8FDBs, access to Notes via Siri/Voice Over)
- iOS 15.0 (Sep 2021): https://support.apple.com/en-us/HT212814
- A local attacker may be able to view contacts from the lock screen via Siri (CVE-2021-30815).
- iOS 15.0.1 (Oct 2021): https://support.apple.com/en-us/HT212866
- A user may be able to view restricted content from the lock screen via Status Bar (CVE-2021-30918). Tweet: https://twitter.com/VBarraquito/status/1438186052808757256 (Video: https://www.youtube.com/watch?v=5L2uVg8FDBs, access to Notes via Siri/Voice Over)
- iOS 15.0.2 (Oct 2021): https://support.apple.com/en-us/HT212846
- N/A (empty).
- iOS 15.1 (Oct 2021): https://support.apple.com/en-us/HT212867
- A local attacker may be able to view contacts from the lock screen via Siri (CVE-2021-30875).
- iOS 15.2 (Dec 2021): https://support.apple.com/en-us/HT212976
- A person with physical access to an iOS device may be able to access contacts from the lock screen via Notes (CVE-2021-30932).
- iOS 15.2.1 (Jan 2022): https://support.apple.com/en-us/HT213043
- N/A (empty).
- iOS 15.3 (Jan 2022): https://support.apple.com/en-us/HT213053
- N/A (empty).
- iOS 15.3.1 (Feb 2022): https://support.apple.com/en-us/HT213093
- N/A (empty).
- iOS 15.4 (Mar 2022): https://support.apple.com/en-gb/HT213182
- A person with physical access may be able to view and modify the (cellular) carrier account information and settings from the lock screen via the GSMA authentication panel (CVE-2022-22652).
- A person with physical access to a device may be able to use Siri to obtain some location information from the lock screen (CVE-2022-22599).
- A person with physical access to an iOS device may be able to access photos from the lock screen via VoiceOver (CVE-2022-22671).
- iOS 15.4.1 (Mar 2022): https://support.apple.com/en-gb/HT213219
- N/A (empty).
- iOS 15.5 (May 2022): https://support.apple.com/en-gb/HT213258
- A person with physical access to an iOS device may be able to access photos from the lock screen (CVE-2022-26703).
- iOS 15.6 (Jul 2022): https://support.apple.com/en-gb/HT213346
- A user may be able to view restricted content from the lock screen via Home (CVE-2022-32855).
- iOS 15.6.1 (Aug 2022): https://support.apple.com/en-gb/HT213412
- N/A (empty).
- iOS 15.7 (Sep 2022): https://support.apple.com/en-gb/HT213445
- A person with physical access to an iOS device may be able to access photos from the lock screen via Shortcuts (CVE-2022-32872).
- iOS 15.7.1 (Oct 2022): https://support.apple.com/kb/HT213490
- A user may be able to view restricted content from the lock screen via FaceTime (CVE-2022-32935).
- iOS 15.7.2 (Dec 2022): https://support.apple.com/en-us/HT213531
- N/A (empty).
- iOS 15.7.3 (Jan 2023): https://support.apple.com/en-us/HT213598
- N/A (empty).
- iOS 15.7.4 (Mar 2023): https://support.apple.com/en-us/HT213673
- N/A (empty).
- iOS 15.7.5 (Apr 2023): https://support.apple.com/en-us/HT213723
- N/A (empty).
- iOS 15.7.6 (May 2023): https://support.apple.com/en-us/HT213765
- N/A (empty).
- iOS 15.7.7 (Jun 2023): https://support.apple.com/en-us/HT213811
- N/A (empty).
- iOS 15.7.8 (Jul 2023): https://support.apple.com/en-us/HT213842
- There is a mention to Screnshots, with no extra details.
- iOS 15.7.9 (Sep 2023): https://support.apple.com/en-us/HT213913
- N/A (empty).
- iOS 15.8 (Oct 2023): https://support.apple.com/en-gb/HT213990
- N/A (empty).
- iOS 15.8.1 (Jan 2024): https://support.apple.com/en-gb/HT214062
- N/A (empty).
- iOS 15.8.2 (Mar 2024): N/A (This update has no published CVE entries)
- N/A (empty).
- iOS 15.8.3 (Jul 2024): N/A (This update has no published CVE entries)
- N/A (empty).
- iOS 16.0 (Sep 2022): https://support.apple.com/en-gb/HT213446
- A person with physical access to an iOS device may be able to access photos from the lock screen via Shortcuts (CVE-2022-32872).
- iOS 16.0.1 (Sep 2022): N/A (This update has no published CVE entries)
- iOS 16.0.2 (Sep 2022): N/A (This update has no published CVE entries)
- iOS 16.0.3 (Oct 2022): https://support.apple.com/en-us/HT213480
- N/A (empty).
- iOS 16.1 (Oct 2022): https://support.apple.com/en-us/HT213489
- A user may be able to view restricted content from the lock screen via FaceTime (CVE-2022-32935).
- iOS 16.1.1 (Nov 2022): https://support.apple.com/en-us/HT213505
- N/A (empty).
- iOS 16.1.2 (Nov/Dec 2022): https://support.apple.com/en-us/HT213516
- N/A (empty).
- iOS 16.2 (Dec 2022): https://support.apple.com/en-us/HT213530
- N/A (empty).
- iOS 16.3 (Jan 2023): https://support.apple.com/en-us/HT213606
- N/A (empty).
- iOS 16.3.1 (Feb 2023): https://support.apple.com/en-us/HT213635
- N/A (empty).
- iOS 16.4 (Mar 2023): https://support.apple.com/en-us/HT213676
- A person with physical access to an iOS device may be able to view the last image used in Magnifier from the lock screen (CVE-2022-46724 - Aug, 2023).
- iOS 16.4.1 (Apr 2023): https://support.apple.com/en-us/HT213720
- N/A (empty).
- iOS 16.5 (May 2023): https://support.apple.com/en-us/HT213757
- A person with physical access to a device may be able to view contact information from the lock screen via Siri (CVE-2023-32394).
- iOS 16.5.1 (Jun 2023): https://support.apple.com/en-us/HT213814
- N/A (empty).
- iOS 16.6 (Jul 2023): https://support.apple.com/en-us/HT213841
- N/A (empty).
- iOS 16.6.1 (Sep 2023): https://support.apple.com/en-us/HT213905
- N/A (empty).
- iOS 16.7 (Sep 2023): https://support.apple.com/en-gb/HT213927
- N/A (empty).
- iOS 16.7.1 (Oct 2023): https://support.apple.com/en-gb/HT213972
- N/A (empty).
- iOS 16.7.2 (Oct 2023): https://support.apple.com/en-gb/HT213981
- An attacker with physical access may be able to use Siri to access sensitive user data (CVE-2023-41982 and CVE-2023-41997).
- iOS 16.7.3 (Dec 2023): https://support.apple.com/en-gb/HT214034
- N/A (empty).
- iOS 16.7.4 (Dec 2023): N/A (This update has no published CVE entries)
- iOS 16.7.5 (Jan 2024): https://support.apple.com/en-gb/HT214063
- N/A (empty).
- iOS 16.7.6 (Mar 2024): https://support.apple.com/kb/HT214082
- A person with physical access to a device may be able to use Siri to access private calendar information (CVE-2024-23289).
- iOS 16.7.7 (Mar 2024): https://support.apple.com/en-us/HT214098
- N/A (empty).
- iOS 16.7.8 (May 2024): https://support.apple.com/en-us/HT214100
- N/A (empty).
- iOS 16.7.9 (Jul 2024): https://support.apple.com/en-us/120908
- Siri: An attacker with physical access may be able to use Siri to access sensitive user data (CVE-2024-40818).
- Siri: An attacker with physical access to a device may be able to access contacts from the lock screen (CVE-2024-40822).
- VoiceOver: An attacker may be able to view restricted content from the lock screen (CVE-2024-40829).
- iOS 16.7.10 (Aug 2024): N/A (This update has no published CVE entries)
- N/A (empty).
- iOS 17.0 (Sep 2023): https://support.apple.com/en-gb/HT213938
- N/A (empty).
- iOS 17.0.1 (Sep 2023): https://support.apple.com/en-gb/HT213926
- N/A (empty).
- iOS 17.0.2 (Sep 2023): N/A (This update has no published CVE entries)
- iOS 17.0.3 (Oct 2023): https://support.apple.com/en-gb/HT213961
- N/A (empty).
- iOS 17.1 (Oct 2023): https://support.apple.com/en-gb/HT213982
- An attacker with physical access may be able to use Siri to access sensitive user data (CVE-2023-41982, CVE-2023-41997 and CVE-2023-41988).
- A device may persistently fail to lock due to the Status Bar (CVE-2023-40445).
- iOS 17.1.1 (Nov 2023): N/A (This update has no published CVE entries)
- iOS 17.1.2 (Nov 2023): https://support.apple.com/en-gb/HT214031
- N/A (empty).
- iOS 17.2 (Dec 2023): https://support.apple.com/en-gb/HT214035
- N/A (empty).
- iOS 17.3 (Jan 2024): https://support.apple.com/en-gb/HT214059
- N/A (empty).
- iOS 17.3.1 (Feb 2024): N/A (This update has no published CVE entries)
- N/A (empty).
- iOS 17.4 (Mar 2024): https://support.apple.com/kb/HT214081
- A person with physical access to a device may be able to use Siri to access private calendar information (CVE-2024-23289).
- iOS 17.4.1 (Mar 2024): https://support.apple.com/en-us/HT214097
- N/A (empty).
- iOS 17.5 (May 2024): https://support.apple.com/en-us/HT214101
- Notes: An attacker with physical access to an iOS device may be able to access notes from the lock screen (CVE-2024-27835).
- Screenshots: An attacker with physical access may be able to share items from the lock screen (CVE-2024-27803).
- iOS 17.6 (Jul 2024): https://support.apple.com/en-us/120909
- Phone: An attacker with physical access may be able to use Siri to access sensitive user data (CVE-2024-40813).
- Siri: An attacker with physical access may be able to use Siri to access sensitive user data (CVE-2024-40818).
- Siri: An attacker with physical access to a device may be able to access contacts from the lock screen (CVE-2024-40822).
- VoiceOver: An attacker may be able to view restricted content from the lock screen (CVE-2024-40829).
- iOS 17.6.1 (Aug 2024): N/A (This update has no published CVE entries)
- N/A (empty).
- iOS 17.7 (Sep 2024): https://support.apple.com/en-us/121246
- Accessibility: An attacker with physical access to a locked device may be able to Control Nearby Devices via accessibility features (CVE-2024-44171).
- iOS 18.0 (Sep 2024): https://support.apple.com/en-us/121250
- Accessibility: An attacker with physical access to a locked device may be able to Control Nearby Devices via accessibility features (CVE-2024-44171).
- Accessibility: An attacker may be able to see recent photos without authentication in Assistive Access (CVE-2024-40852).
- Siri (2 CVEs): An attacker with physical access may be able to access contacts from the lock screen (CVE-2024-44139) (CVE-2024-44180).
Protecting iOS Devices Against Lock Screen Bypass Vulnerabilities
This extensive list of iOS lock screen bypass vulnerabilities can be exploited by anyone that gets physical access to a target device, even temporarily. It is therefore crucial for both security professionals and pen-testers, as part of their recommendations within pen test reports, to provide countermeasures that mitigate the associated risks. In fact, unless an organization is impeccable in their patching and update process, you are pretty much guaranteed to find an older version of iOS on some of their devices that could lead to a significant finding. And, if the organization employs a Bring Your Own Device (BYOD) policy, again you are ensured of a proliferation of older versions ripe for attack. If you can gather information about the use of such devices, you’ll have a nice finding for your report.In order to minimize the impact of lock screen bypass vulnerabilities in iOS devices, it is highly recommended to always update the mobile device to the latest iOS version available, which supposedly fixes all the publicly known vulnerabilities, and manually (or though an MDM solution) verify that you really are in the latest and expected iOS version (http://blog.dinosec.com/2014/06/ios-back-to-future.html).
Besides that, in iOS some of the (current and future) lock screen bypass vulnerabilities can be mitigated by limiting the functionality available in the lock screen. The following list summarizes various recommended configuration options currently available to protect the lock screen on iOS devices (it is outdated, as it applies to iOS version 8, with additional clarifications for iOS 7; however, the concepts can also be applied to newer iOS versions). Of course, turning off these functions can improve security by lowering the attack surface, but also may anger users who aren’t able to utilize the latest gee-whiz features of their devices. Evaluate each of these actions before applying them, as there is always a security versus usability trade off associated to disabling the functionality and features available in the lock screen without requiring the user to enter a passcode. For organizations requiring a high degree of security, though, these hardened configurations should at least be considered:
- Disable Siri (or Voice Dial, if Siri is not enabled; watch out as Music Voice Control is always enabled (*)) when the device is locked: Navigate to "Settings –> Passcode –> Siri (or Voice Dial)" and disable it there ("Allow access when locked: Siri = OFF"):
- Disable Passbook when the device is locked: Navigate to "Settings –> Passcode –> Passbook" and disable it there ("Allow access when locked: Passbook = OFF").
- Disable the Control Center from the lock screen to avoid exposing sensitive controls, such as enabling/disabling the Wi-Fi or Bluetooth interfaces, or even airplane mode: Navigate to "Settings –> Control Center –> Access on Lock Screen = OFF". The multiple controls available in Control Center cannot be customized; therefore it can only be enabled or disabled completely.
- Disable the Notification Center, and specifically, its availability from the lock screen, including Today View (new since iOS 7). In iOS 8, navigate to "Settings –> Passcode –> Allow access when locked:" and disable both "Today" and "Notifications View":
- To accomplish the same task in iOS 7, navigate to "Settings –> Notification Center –> Access on Lock Screen" and disable both, "Notifications View" and "Today View".
- More granular notification settings can be configured for each individual app from the "Include" section of Notification Center. Apps can be completely unlinked from Notification Center by accessing their settings and turning off notifications. In iOS 8, go to "Settings –> Notifications –>
–> Allow Notifications = OFF". The app will be moved to the "Do Not Include" section at the bottom (e.g. Twitter app):
Additionally, the "Show on Lock Screen" setting from the same menu allows defining if the individual app notifications will be available on the lock screen or not. In iOS 7, these and other adjustments in the next set of recommendations were available under "Settings –> Notification Center –> ..." instead. In iOS 7, to unlink an app from the Notification Center go to "Settings –> Notifications –> –> Show in Notification Center = OFF". iOS allows answering back a phone call without knowing the passcode by simply swapping the missed call notification available in the lock screen. This behavior cannot be disabled, except by not showing this kind of missed call notification in the lock screen (go to "Settings –> Notifications –> Phone –> Show on Lock Screen = OFF"):
Similar recommendations apply to other apps that can also show sensitive information in the lock screen, such as Messages. It is recommended to disable the preview of Messages by going to "Settings –> Notifications –> Messages –> Show Previews = OFF" (a specific issue with this setting has been fixed in iOS 8, CVE-2014-4356):
In order to avoid issues with the SmartCover in iPad devices, its usage can be disabled from "Settings –> General –> Lock/Unlock":
Disable the camera: In order to remove the quick camera access icon from the lock screen, completely restrict access to the camera via "Settings –> General –> Restrictions" and disable the 'Camera', which will also turn off FaceTime. As there is no other way to simply disable the quick camera access icon, this radical countermeasure is the only option available to avoid someone taking pictures from your iOS device:
Establish a passcode with at least one alphabetic character, so that the look & feel of the iOS lock screen does not disclose if your passcode is just a PIN (4 digits), is made up of just digits (more than 4), or (preferred option) is alphanumeric. ... and remember to frequently physically clean up the screen of your iOS devices too to avoid fingerprints, residues and smudge revealing your passcode :-)