Demo appears to show iOS 8 has Siri-based security bug
YouTube blogger posts video of access to locked iPhone 6, without passcode, TouchID entry
Apple Inc's iOS 8.0 and 8.0.2 contains a sporadic security glitch that allows the TouchID and passcode to be bypassed on an iPhone 6, a YouTube-based tech blog claimed today.
EverythingApplesPro posted a five-minute video in which the newly released variant of iOS 8 appeared to allow access to a locked iPhone 6.
Apple released iOS 8.0.2 as a fix for minor release 8.0.1, which caused dropped calls and disabled TouchID for some users.
In the video, the blogger demonstrates he is using 8.0.2, but says the flaw is also present in 8.0. He then enables Apple's voice-interface assistant Siri and new setting "Allow ‘Hey Siri'", which permits the phone to be woken up (while connected via cable to a power source) by the user saying "Hey Siri".
The blogger enabled both TouchID and passcode, but said either on its own would also expose the flaw. It took him several attempts to demonstrate the flaw, but after locking his iPhone 6, he said "Hey Siri" and then, after Siri woke up the phone: "How's the weather like going to be today [sic]?"
Once Siri responded to the question, the demonstrator hit the home button and swiped the screen to enter the passcode. On the first few attempts the keypad appeared, prompting entry of the passcode, but on one occasion the user appeared to swipe and enter the home screen without any need for a passcode. He then demonstrated that passcode was still enabled.
While admitting that the setup was "challenging", as the phone had to be connected to power and the glitch did not occur every time, he urged YouTube denizens to spread the word so Apple might fix the flaw in the next update.
The blogger said he could only vouch for the glitch in an iPhone 6.