Apple’s latest iOS 12 was seemingly outstanding with it’s extra security features and user data privacy and security. However, one cannot deem it flawless. Recently, a security researcher discovered two complex passcode bypass methods for iOS 12 that exposes an iPhone’s contacts and photos.
Complex Passcode Bypass Methods In iOS 12 Expose iPhone’s Data
The latest iOS 12 has a few glitches that allow accessing contacts and photos whilst bypassing the passcode. Allegedly, Jose Rodriguez, who already has a history of identifying several iOS bugs, has once again discovered two bugs in the iOS 12. The passcode bypass methods he demonstrates in his videos show how to access phone’s data without entering the passcode, simply by using Siri.
In his first video, he demonstrated that activating VoiceOver via Siri lets anyone access the phone’s contacts and photos. An attacker with physical access to the target device can simply make a call to the phone. Then, after the call shows up, the attacker can tap the “Message” option to create a message. From here, the snooper can go to add contact option by tapping the “+” sign. Meanwhile, sending a message to the target device will create a conflict in the iOS UI when the device shows the message notification. Now, after bearing blank screens for a while, the attacker can eventually retrieve the original message. He can also add a new message recipient by accessing the contact list.
Likewise, as seen in the video, an attacker can also access the device’s photos by activating VoiceOver and swiping to the “Camera Roll”. The process is long and complicated, but not too tricky to apply.
Here we share his video demonstrating the glitch.
Exploiting Passcode Bypass To Create And Share Notes And Make Calls
In another video, Rodriguez demonstrated another passcode bypass trick that lets an attacker create notes via Siri. As shown, an attacker can create a new note, add media to it, lock the phone and repeat the process to create a second note. Upon tapping the picture added to the second note, the attacker sees a media sharing icon that leads to a blank share sheet UI. At this point, activating VoiceOver can provide the attacker with sharing options. Here we share his demonstration.
At the moment, Apple has not released patches for this vulnerability which currently affects iOS 12 and the iOS 12.1 beta. Until a patch becomes available, users can protect themselves from this exploit by disabling Siri lock screen access.