A pair of extremely involved passcode bypasses discovered in Apple’s latest iOS 12 can grant attackers access to Contacts and Photo data on a user’s iPhone, including models protected by Face ID.
Unearthed by Jose Rodriguez, the exploits are rather complicated, each containing multiple steps involving Siri, Apple’s VoiceOver screen reader feature and, in one case, the Notes app. Both methods work on iPhones running the latest version of iOS, including models with Face ID or Touch ID biometric security.
The first of the the two videos posted to Rodriguez’s Spanish language YouTube channel explains a vulnerability that allows a potential attacker to bypass both Face ID and Touch ID security protocols.
Demonstrating the process, Rodriguez activates VoiceOver through a Siri request. From there, he calls the target iPhone with a separate device and, with the call dialogue displayed, taps the “Message” button to create a custom text message. Once in Messages, Rodriguez moves the text selector to the “+” symbol, denoting the addition of another contact, then uses the secondary device to text the target iPhone, triggering a notification to appear. Double tapping the screen on the target iPhone while the notification is displayed appears to cause a conflict in the iOS user interface.
Rodriguez confirmed to AppleInsider that the second device is required to perform the bypass.
With the screen now blank, Siri is once again activated and quickly deactivated. The screen remains blank, but VoiceOver’s text selection box is seemingly able to access and navigate Messages’ user menu. Swiping back through the available options and selecting “Cancel” retrieves the original Messages screen, where a nefarious user can add a new recipient. Selecting a numeral from the soft keyboard brings up recently dialed or received phone numbers and contacts that contain metadata associated to that number.
Going further, the entire address book can be accessed if a displayed contact or number presents an “i,” or info, button next to its respective entry. Disabling VoiceOver, again via Siri, and tapping on the “i” icon displays a contact’s information. Performing a 3D Touch gesture on the contact avatar brings up options to “Call,” “Message,” “Add to Existing Contact” or “Create New Contact.” Selecting the latter displays a full list of contacts.
Finally, Photos are retrievable by once again enabling VoiceOver and swiping down to “Camera Roll” on an unseen user menu. Navigating through recent photos, screenshots and other folders via gestures and audio cues allows an attacker to assign individual pictures to a contact’s user icon.
A second video details a lock screen bypass that, while limited in scope, demonstrates yet another bug exists in Apple’s mobile operating system.
Rodriguez again invokes Siri, but this time creates a new note. After adding a picture to the note, he locks the phone and repeats the process. Tapping on the inserted image in the second note presents a media sharing icon that, when selected, brings up a blank share sheets UI. Asking Siri to enable VoiceOver provides access to an unseen menu containing a user’s default sharing options.
Apple has yet to address the vulnerabilities in the latest iOS 12.1 beta.
Concerned users can minimize exposure to the apparent bugs by disabling Siri lock screen access in Settings > Face ID & Passcode or Settings > Touch ID & Passcode under the “Allow access when locked” heading. The second attack can be thwarted by enabling password protection for Notes by navigating to Settings > Notes > Password.