Shared publicly on YouTube by iDeviceHelp, a newly discovered iPhone exploit which requires precise timing in conjunction with access to Siri on the lock screen, gives hackers access to contact information, including photos and message logs, without requiring a passcode. The folks over at AppleInsider were able to repeat the steps necessary to invoke the attack on an iPhone SE, an iPhone 6 Plus, and an iPhone 6S Plus, but not on an iPhone 7 or 7 Plus.
Here’s how it works:
Attackers with access to the device must call the phone, and start to send a message. After that, assailants instruct Siri to turn on voice over. For the next steps, timing is crucial. Attackers must double-tap the contact info bar, and hold the second tap on the bar, while immediately clicking on a keyboard which may or may not invoke in time for the exploit.
At this point, the attacker can type the first letter of a contact’s name, and then tap info button next to the contact to get information on the contact. The phone remains locked during the entire attack.
Meanwhile, another YouTube channel, EverythingApplePro, claims that the exploit works on any iPhone going back to iOS 8.0, including the new iPhone 7. Although Apple has been notified of the flaw, the only way to prevent the attack is to disable Siri while the phone is locked in the Touch ID & Passcode preferences.
Check out the Siri exploit in action in the following video: