iPhone iOS 13 Lockscreen Bypass Flaw Exposes Contacts

apple lock screen bypass iOS 13

Apple will not fix the glitch until the release of iOS 13.1 later in September.

An iPhone lock screen bypass has been discovered that could enable an attacker to access victims’ address books, including their contacts’ names, email addresses, phone numbers, mailing addresses and more.

The hack was first discovered by researcher Jose Rodriguez, an Apple enthusiast based in Spain who has found a slew of previous iPhone bypasses. This latest one could enable someone with physical access to a vulnerable iPhone to bypass the passcode authorization screen, and exists in the beta version of Apple’s soon-to-be-released mobile operating system, iOS 13.

iOS 13 won’t be released to the masses until Sept. 19, but Rodriguez confirmed that the flaw works on the Gold Master (GM) version of iOS 13, which has been shipped out to developers (although it does appear to be fixed in beta versions of iOS 13.1, which is slated to be released on Sept. 30, Rodriguez said).

He told Threatpost that he sent the issue to Apple in July 2019 as part of a report on two security flaws in iOS 13 Beta.

“I found the bug in early July, along with another bug, I sent both bugs to complete a security report that Apple recorded in my iPhone by installing a profile and recording what happened in my iPhone… to bypass the lock screen,” Rodriquez explained to Threatpost (translated using Google Translate).

As Rodriguez showed in a Youtube video, the hack works if an attacker with access to a victim’s iPhone first makes a FaceTime call from another Apple device to the impacted phone. Once the victim’s phone receives the FaceTime call, instead of answering the attacker clicks the “custom” option, and then respond with a text message.

From there, the user must use Apple’s voice-over feature — which allows users to make requests to Siri using voice commands — to request to change the “to” field of the text message, and the “to” field then pulls up the phone’s contact list. That allows a user to look through the victims’ address book and siphon contacts, phone numbers and email addresses.

The attack has been tested and confirmed by various news outlets in the iOS 13 GM running on an iPhone X.

Luckily, the hack would be difficult to launch, as an attacker must have access to the phone in question. The impacted iPhones would also need to support Siri for enabling voice control, Rodriguez told Threatpost.

The flaw is reminiscent of another recent passcode bypass vulnerability, also discovered by Rodriguez, in 2018. That was in Apple’s then-brand-new iOS version 12, and could allow an attacker to access photos and contacts (including phone numbers and emails) on a locked iPhone XS and other devices.

Rodriguez told Threatpost that though he reported the flaw to Apple in July, he did not get a reward for the report.

“The issue got closed in mid-August, Apple had promised me a gift in rewarding for the reports, but finally I didn’t get anything, only a thank you,” he told Threatpost.

That’s against the backdrop of Apple in August announcing that it is looking to boost vulnerability disclosure efforts from the security community by opening its historically private bug-bounty program to all researchers this fall. In addition, it plans to drastically boost some rewards for vulnerabilities found in its devices, and it’s adding a much-wanted program for its Mac devices. While Apple’s maximum payout was previously $200,000 for finding vulnerabilities in hardware (like secure boot firmware components), now it’s offering a hefty reward of $1 million for a network attack with no user interaction that could lead to zero-click kernel code-execution with persistence.

Apple did not respond to a request for comment.

Interested in the role of artificial intelligence in cybersecurity, for both offense and defense? Don’t miss our free Threatpost webinar, AI and Cybersecurity: Tools, Strategy and Advice, with senior editor Tara Seals and a panel of experts. Click here to register.

Suggested articles

Discussion

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.