The security researcher Jose Rodriguez discovered a new lock screen vulnerability for iOS 15 (& iOS 14.8) that has yet to be fixed.

The security researcher Jose Rodriguez (@VBarraquito) discovered a new lock screen vulnerability for iOS 15 (& iOS 14.8) that has yet to be addressed by Apple. A threat actor with physical access to a vulnerable device can access Notes via Siri/Voice Over.

Rodriguez explained that in real incidents, unattended or stolen devices with a lock screen bypass vulnerability are exposed to attacks that could leverage a lock screen vulnerability to access sensitive information.

This specific type of vulnerability represents a serious threat to individuals and organizations, for this reason, the expert suggests including their research when conducting a mobile pen-testing assessment.

The expert disclosed details about the lock screen bypass vulnerability after Apple downplayed similar flaws, tracked as CVE-2021-1835 and CVE-2021-30699, reported by the researcher earlier this year.

The flaws allowed an attacker to access instant messaging apps like WhatsApp or Telegram even while the mobile device was locked.

Rodriguez explained that Apple partially fixed the issue and did not involve him in the test of the released patch.

Then the expert proposed a variant of the same bypass issue that leverages Apple Siri and VoiceOver services to access the Notes app.

The expert also published a video PoC for the latest screen bypass vulnerability:

Let me suggest reading a post published by the expert that includes a long list of similar vulnerabilities:

https://blog.dinosec.com/2014/09/bypassing-ios-lock-screens.html

The iPhone Manual – Tips and Hacks