SIM card dialing bug. | Source: videosdebarraquito via Youtube
The flaw, found on Wednesday by YouTube user "videosdebarraquito," allows unauthorized users access a locked handset's address book and photos by ejecting the SIM card while using voice control to make a call.
It appears that the flaw is limited to iPhones without Siri support, as AppleInsider was not able to reproduce the behavior on an iPhone 5.
As seen in the demonstration video, the process is somewhat more involved than simply dialing and canceling an emergency call. In order to reproduce the bug, a malicious user must be using an iPhone incompatible with Siri, which has Voice Control activated, and have a paper clip or SIM card extraction tool. By holding down the Home button when an iPhone is locked, a user can request a number to be dialed. When the Voice Control system initiates the call, the removal of the SIM card tray, and thus the SIM card, defaults the phone app back to the dialing screen. From there, contacts, photos and recent call information can be accessed.
When Apple released iOS 6.1.3 on Tuesday, the company patched a similar lock screen bug that bypassed the lock screen security code to give low-level access to contact information and other assets available from the phone app.
While Tuesday's discovery is likely to be fixed in an upcoming iOS update, for now users can simply turn off "Voice Control" in the Settings menu to disallow unwanted iPhone access.