iOS 12, the latest version of Apple’s mobile operating system which was released in the middle of September, is already facing a serious security problem. Apparently, someone has found a way to go around its lock screen security to access the device owner’s contacts, emails, telephone numbers, and photos.
It is in fact a matter of two separate bypass exploits unearthed by a security researcher. One is a lock screen bypass, and the other is a Face ID and Touch ID bypass.
Complex Bypasses in iOS 12 Discovered
Of course, if someone wants to exploit iOS 12’s lock screen, they will need to go through 12 steps in a specific sequence in order to view contacts, numbers and emails. In addition, there are 21 separate steps to view photos. This makes an attack complicated to accomplish, but a dedicated individual with enough time, the right set of instructions and physical access to the device would definitely go through the trouble.
The two complicated bypasses were discovered by Jose Rodriguez, and they are indeed difficult to perform. The steps involve the deployment of Siri, Apple’s VoiceOver screen reader feature and the Notes app. Both of the methods are valid on iPhones running iOS 12, models with Face ID or Touch ID inclusive.
The researchers revealed the exploits in two separate videos in Spanish shared on his YouTube channel. In the first video it is revealed how a malicious user would be able to bypass Face ID and Touch ID security protocols.
First, Rodriguez activates VoiceOver through a Siri request. Then, he calls the target iPhone with a separate device and, with the call dialogue displayed, taps the “Message” button to create a custom text message, AppleInsider explained.
Once in Messages, Rodriguez moves the text selector to the “+” symbol, denoting the addition of another contact, then uses the secondary device to text the target iPhone, triggering a notification to appear. Double tapping the screen on the target iPhone while the notification is displayed appears to cause a conflict in the iOS user interface.
It should also be noted that the researcher confirmed to AppleInsider that the second device is required to carry out the bypass.
With the screen now blank, Siri is once again activated and quickly deactivated. The screen remains blank, but VoiceOver’s text selection box is seemingly able to access and navigate Messages’ user menu. Swiping back through the available options and selecting “Cancel” retrieves the original Messages screen, where a nefarious user can add a new recipient. Selecting a numeral from the soft keyboard brings up recently dialed or received phone numbers and contacts that contain metadata associated to that number.
From there on, it is very easy to access the address book with the condition that a displayed contact or number presents an “i” or info button next to the entry in question.
Disabling VoiceOver, again via Siri, and tapping on the “i” icon displays a contact’s information. Performing a 3D Touch gesture on the contact avatar brings up options to “Call,” “Message,” “Add to Existing Contact” or “Create New Contact.” Selecting the latter displays a full list of contacts.
Then, Photos become retrievable via enabling VoiceOver and swiping down to Camera Roll on an unseen user menu, researchers explained.
The two bypasses are yet to be addressed in the latest iOS 12.1 beta.
To minimize the risk, users can disable Siri lock screen access in Settings > Face ID & Passcode or Settings > Touch ID & Passcode under the “Allow access when locked” heading. As for the second bypass – it can be circumvented by enabling password protection for Notes by navigating to Settings > Notes > Password.