CVE-2016-7653

Vulnerability

The Media Player component in iOS versions prior to 10.2 contains a vulnerability that allows unauthorized access to sensitive information from the lock screen. Specifically, an attacker with physical proximity to the device can leverage the lock screen interface to view photos and contact details without authentication. This issue affects iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation and later running iOS versions before 10.2 [1].

Exploitation

An attacker must have physical access to the locked device and be able to interact with the lock screen. By exploiting the Media Player component, the attacker can navigate to view photos and contacts without unlocking the device. The exact steps are not detailed in the available reference, but the vulnerability is triggered through the lock screen interface.

Impact

Successful exploitation allows a physically proximate attacker to obtain sensitive photo and contact information from the device. This constitutes a disclosure of personal data, potentially compromising user privacy. The attacker does not gain full device access but can view specific data through the lock screen.

Mitigation

Apple addressed this issue in iOS 10.2, released on December 12, 2016 [1]. Users should update to iOS 10.2 or later to mitigate the vulnerability. No workaround is available for older versions.