New iOS 12 passcode bypass vulnerability could allow hackers to access photos and contacts

• The vulnerability affects iPhone models that come with by Face ID and biometric security.
• A proof-of-concept worked successfully on a number of iPhone models, including Apple’s latest iPhone XS model.

A new vulnerability has been discovered in Apple’s latest iOS version. The passcode bypass flaw in Apple’s iOS 12 could allow hackers to view photos and contacts on a locked iPhone. The vulnerability affects iPhone models that come with Face ID and biometric security. However, to exploit the vulnerability an attacker must have physical access to the targeted iPhone.

Jose Rodriguez, who has also found similar iPhone hacks, discovered this vulnerability in the new iOS 12 version. Rodriguez is a self-proclaimed Apple enthusiast and an office clerk based in Spain, Threatpost reported. He demonstrated the hack in a YouTube video which involved a complicated process with at least 36 steps and including Siri, Apple’s VoiceOver screen reader feature.

Rodriguez told Threatpost that the hack worked successfully on a number of other iPhone models, including Apple’s newest model iPhone XS.

How it works

In the video demo, Rodriguez activates VoiceOver through a Siri request, after which he calls the targeted iPhone from a different device. When the call dialogue appears on the screen, he taps the “Message” button, which, in turn, creates a custom text message.

After accessing messages, the researcher then clicked on the + symbol, appearing to add another contact. Rodriguez again used the secondary device to text the targeted iPhone, triggering the appearance of notification. Once this is done, all one needs to do to cause a conflict in the iOS user interface is to double tap the screen on the targeted iPhone.

The user interface conflict causes the device’s screen to go blank, immediately after which, Siri is reactivated and quickly deactivated. The technique allowed Rodriguez to access the dialed and received phone number and contacts that contain metadata associated with a number.

Furthermore, an attacker exploiting the iOS vulnerability can perform the following actions:-

• Access the entire address book, if the displayed contact or number shows an “ i ” or information button next to its respective entry.
• Perform a 3D touch gesture on a contact to bring up options such as “Call”, “Message”, “Add to Existing Contact” or “Create New Contact”.
• View the full list of contacts.

Rodriguez told AppleInsider that a second device is required to perform the bypass. A hacker could also retrieve photos by enabling VoiceOver and swiping down to “Camera Roll” on an unseen user menu.

Rodriguez demonstrated how this bug can be exploited, that was relatively limited in scope, in a second video. In this case, Rodriguez created a new note, with a picture, to exploit the vulnerability.

Apple has yet to release a fix for these vulnerabilities in the latest iOS 12.1 beta operating system.

iOS bugs - a common occurence

Over the last few years, the iPhone passcode bypass vulnerability appears to have popped up in several iOS versions. One other bug, which was discovered in iOS 10, also exploited Siri and VoiceOver features. Users should make sure that the “Automatic Updates” option in their devices is enabled, as Apple is set to issue a software update as soon as possible to address the bug.