illmob.org

Apple iOS 7.2 – Sim Lock Screen Display Bypass Vulnerability

October 15th, 2013 by admin in Apple, Privilege Escalation

A restricted screen bypass via design glitch is detected in the official Apple iOS v7.0.1 for Mobile Devices (iPad|iPhone).
The security vulnerability allows local attackers to bypass the display screen of the restricted sim locked mode.

The bypass vulnerability is located in the iOS v7.0.1/7.0.2 when the `sim locked` mode of an iphone mobile is activated.
Local attackers can redirect the sim locked display to the regular default mode by using a restricted calculator function in
combination with the shutdown and unlock button. As result the local attacker is able to glitch > jump into the regular locked
phone mode with calender + hyperlinks, camera and control center. The regular sim locked display is at the end usable like in
the regular mode without sim locked label in the screen.

The local sim lock screen display bypass vulnerability can be exploited by local attackers with physical device access and without
user interaction. Successful exploitation results in the bypass of the sim lock mode to the regular lock mode. In a earlier test (7.x)
we combined the earlier discovered issues to first unlock the sim display (locked sim card) and bypass the pass code to fully compromise.

Proof of Concept (PoC):
=======================
The local vulnerability can be exploited by local attackers with physical device access and without user interaction.
For demonstration or reproduce …

Manual reproduce like in the iphone poc security video …

1. Start your iPhone and ensure you have the iOS v7.0.1 installed
2. Activate the Sim Lock mode
3. Start the device new and you will see a black notification in the middle of the display (sim locked)
Note: Sometimes the message also comes up in the restricted mode with a grey message box in the middle of the display.
4. Open the calender, and scroll down to the two hyper links
5. Press the power button and wait 2 secounds in the last secound your press one of the two hyperlinks
6. You get redirected via hyperlink because of the restriction to the pass code sim lock
7. Press again 3 secound the power button and push at the end in the last secound the home button
8. Click cancel again in the shutdown menu but hold the home button
9. Open up the control center and go to the calculator. Now a message box appears automatically with the sim lock entry button or the ok cancel
10. Press 3 secounds the shutdown button and in the last secound you press the unlock or ok button and hold home
Note: The pass code module comes up but some milisecounds after it there is an automatic redirect to the earlier opened module (calculator)
11. Now the attacker only press one time 3 secounds the power button again and when its opened he press cancel and one time the home button
12. The locked screen disappears and the restricted screen display mode has been bypassed.

Leave a reply