iOS 9 security flaw grants unrestricted access to Photos and Contacts

A video making the rounds this week claims to disclose an iOS 9 security flaw that bypasses a passcode protected lock screen to grant unhindered access to a device's stored photos and contacts.

The somewhat involved process was discovered by Jose Rodriguez, who also uncovered an obscure iOS 6.1.3 lock screen bypass two years ago.

As described in Rodriguez's proof-of-concept video the procedure takes advantage of an apparent bug related to Siri lock screen access and iOS 9's five-attempt lockout policy. Under a specific set of circumstances invoking Siri from an iPhone or iPad's lock screen grants limited system access.

Rodriguez confirmed to AppleInsider that he does not own the iPhone used in the demonstration, nor were his fingerprints registered with Touch ID. AppleInsider independently confirmed the bypass' validity in a series of tests. It should be noted that only devices protected by simple four- or six-digit passcodes are vulnerable to attack, while those with long alphanumeric passwords remain unaffected.

Apple has yet to address the bypass, though tests showed today's iOS 9.0.1 update and iOS 9.1 beta versions do not contain a fix.

In lieu of an permanent solution from Apple, concerned users can disable Siri lock screen access by navigating to Settings > Touch ID & Passcode, entering their current passcode and deactivating Siri under the "Allow access when locked" heading. Alternatively, the bypass can be thwarted by creating a custom alphanumeric passcode.

Unfortunately, iOS is no stranger to lock screen bypass bugs, as evidenced by iOS 7, iOS 6 and iOS 4.