Apple keeps releasing iOS updates and Spanish researcher José Rodríguez keeps finding new ways to bypass each version’s lockscreen security.
This week’s target was iOS 12.1, which appeared on Tuesday. By Wednesday, Rodríguez had posted a YouTube video showing how the lockscreen could be beaten with the help of Siri and Facetime to reveal the device’s contact phone numbers and email addresses.
Apart from having physical access to the target iPhone, all an attacker would need is the phone number of the target (if they don’t know the number, they can just ask Siri “who am I?” from the target phone).
The attacker would then:
- Pick up the call
- Initiate FaceTime from the call menu screen
- Swipe up and enable airplane mode
- Immediately tap the (…) icon (for iOS 12.1.1 swipe up on the panel at the bottom)
- Tap “Add Person”
- Tap the (+) icon
Hey presto! They can scroll though the contact information.
Just to get ahead of Apple’s security team, the method even reportedly works on the beta for the forthcoming iOS 12.1.1.
Rodríguez’s lockscreen bypasses have become an uncomfortable fixture lately.
The most recent was only two weeks ago, a lockscreen in iOS 12.0.1 that would have given an attacker access to a device’s photos.
Ironically, that update included fixes for two previous lockscreen bypasses Rodríguez had publicised in September that compromised contacts, emails, telephone numbers, and photos.
Before that, the same researcher had discovered a clutch of lockscreen bypass issues going back to 2013.
Until Apple posts a fix, you can mitigate the flaw by disabling Siri’s VoiceOver lockscreen access: go to Settings → Siri & Search and turn off Allow Siri when locked.
A deeper question is why Siri and the lockscreen still don’t mix happily.
It could simply be that there is a fundamental incompatibility in their purpose – locked access versus easy voice access to some functions – which is inherently difficult to reconcile without compromise.