A new iPhone 6s/6s Plus passcode bypass flaw is making its rounds on the internet today, and it’s similar to flaws we’ve seen in the past on iOS. Don’t be overly alarmed, though, as the odds of this happening to you are slim. Besides, if you are concerned, there are some bonafide ways to go about protecting yourself.
The bypass only works on the iPhone 6s and iPhone 6s Plus, because those devices feature 3D Touch, which is a requirement for this passcode bypass trick. Lesser devices don’t appear to be affected, because a long press doesn’t have the same effect as a 3D Touch.
Here’s how to test the passcode bypass
Step 1: Lock your device.
Step 2: Invoke Siri and say “Search Twitter”.
Step 3: Once Siri asks what to search for, say: “at-sign yahoo dot com” or any other popular email domain. The goal is to find a tweet containing a valid email address.
Step 4: Once the search results are returned, tap on a tweet with a valid email address.
Step 5: 3D Touch the email address to bring up the contextual menu.
Step 6: Tap Create New Contact → add photo in order to view the photos on device. You can also view contacts on device by use the Add to Existing Contact option instead.
How to protect yourself
You can disable Siri access to photos, which will prevent people from using the Create New Contact → add photo option mentioned above in step 6. To do so, go to Settings → Privacy → Photos and disable the Siri switch. Unfortunately, this won’t prevent people from seeing your contacts, so if this is a concern, see the alternative security method below.
Disable Siri on the Lock screen
You can outright disable access to Siri from the Lock screen, stopping this passcode bypass method before it even begins. To do so, go to Settings → Touch ID & Passcode and disable the Siri switch under the allow access when locked heading. This is the more drastic step that eliminates the ability to use Siri altogether while at the Lock screen, so understand the consequences that this could have on your workflow.
You can also rest easy knowing that if your iPhone reboots or encounters a Touch ID grace period time out, you’ll need to verify your passcode before using Siri. Chances are, you’ll never have to worry about your privacy being breached by means of this bypass. That said, you should be aware that such a thing exists, and more importantly, how to go about protecting yourself should the need arise.