iOS 9 hack lets anyone see all photos and contacts even if phone is locked

A bug in iOS 9 lets anyone see all of a person’s pictures or contact information, even if they have locked their phone.

A very quick workaround, which uses Siri, lets people into the phone even if the passcode and Touch ID fingerprint sensor is turned on.

To exploit the bug, would-be hackers repeatedly mash the numbers on the passcode screen until the iPhone threatens to lock the user out. Speaking to Siri to help open the Clock app, and then clicking through, allows people unfettered access to the Photos and Contacts app, potentially making available personal data.

The exploit has been shown in a proof-of-concept video by Jose Rodriguez, who has a track record of finding similar bugs in iOS. Rodriguez confirmed that the phone was not his to Apple Insider.

The bug can be easily prevented by heading to Settings and choosing Touch ID & Passcode. Turning off Siri when the phone is locked stops the hack from working.

Another way of keeping the phone safe is by using a longer, alphanumeric password, rather than the four or six digit passcodes that are set up by default.

The problem does not seem to have been fixed in iOS 9.0.1, the recently rolled out update to the system.

Similar bugs have been found in various first updates to iOS — versions 7, 6 and 4 were all initially vulnerable to similar hacks. Since the iPhone’s lock screen is the main defence against people getting unwanted access to the phone, it has become a particular target for hackers.