A passcode bypass vulnerability in Apple’s new iOS version 12 could allow an attacker to access photos and contacts (including phone numbers and emails) on a locked iPhone XS and other devices.
The hack allows someone with physical access to a vulnerable iPhone to sidestep the passcode authorization screen on iPhones running Apple’s latest iOS 12 beta and iOS 12 operating systems.
Threatpost was tipped off to the bypass by Jose Rodriguez, who describes himself as an Apple enthusiast and “office clerk” based in Spain who has also found previous iPhone hacks. Rodriguez posted a video of the bypass on his YouTube channel under the YouTube account Videosdebarraquito, where he walks viewers through a complicated 37-step bypass process in Spanish.
Threatpost has independently confirmed that the bypass works on a number of different iPhone models including Apple’s newest model iPhone XS.
Apple has not responded to Threatpost requests for comments for this story.
The loophole allows images to be accessible by editing a contact and changing the image associated with a specific caller. Apple had put mitigations in place to thwart hacks that allowed images to be viewed via contacts. However, Rodriguez found a convoluted way to circumvent these security barriers.
The process involves tricking Siri and Apple’s accessibility feature in iOS called VoiceOver to sidestep the device’s passcode. The attack works provided the attacker has physical access to a device that has Siri enabled and Face ID either turned off or physically covered (by tape, for instance).
iPhone passcode bypasses have become a common occurrence over the last few years and seem to pop up every couple of iOS releases. A similar iOS 10 passcode bypass was found several years ago that took advantage of a similar Siri and VoiceOver loophole. In the past, researchers have also disclosed how an attacker could use Siri to bypass an iPhone’s passcode to access native iOS apps like Clock and Event Calendar. That vulnerability affected iOS 9.0, 9.1 and 9.2.1. Another bypass surfaced in 2016 that affected iOS 9.3.1. That could have allowed an attacker to bypass Siri to search Twitter and in turn gain access to photos and contacts on a device.
Rodriguez’s bypass was picked up by website Gadget Hacks that broke it down into its many, many steps.