Apple has just recently released iOS 9.3.1, the first update to iOS 9.3. And while it's meant to fix a significant web link crashing issue that has affected many iOS users, the new update has been found to be with a security vulnerability that allows anyone to access important data even without a passcode.
Issues With Apple's iOS 9.3.1
The vulnerability has been shown through a YouTube video that was uploaded by Jose Rodriguez (and first spotted by The Daily Dot), reports MacRumors. In the video, a user performs a "Siri" search, then follows with a series of relatively simple tasks, one of which involves 3D Touch - indicating that the trick is limited to the iPhone 6s and 6s Plus devices.
One can only take advantage of the security flaw if the iPhone owner has already given Siri the permission to access several kinds of information: the owner's Twitter account information, contacts, photos and operations that require the use of a passcode or Touch ID to establish device ownership.
Taking Advantage Of The Security Flaw
To access the data and take advantage of the vulnerability, one has to follow several simple steps: first, on has to invoke Siri on the locked phone either by using the "Hey, Siri" function or by holding the home button. When Siri responds, a Twitter search then needs to be conducted.
When Siri displays results that contain contact information such as email addresses, a 3D Touch gesture is then used on the contact information to call for a Quick Actions Menu. Once the menu appears, tapping on the "Add to Existing Contact" option will then bring up the iPhone's Contacts list. Additionally, when opting to add a photo to the entry, that phone's photos library also becomes free for access.
Disabling Access
Worried that someone might access your data? Ensuring that Siri's access to both Twitter and Photos are disabled means that you are protected from the vulnerability. To do this, go to Settings - Privacy - Twitter and if Siri is listed, turn off its access.
In the same way, in Privacy - Photos, turn all listings of Siri's access to the Off position. Denying Siri access to your Contacts requires that you disable Siri's lock screen activation. To do so, go to Settings - Touch ID & Passcode and turn off the Siri switch.