iOS 12.1 Group FaceTime bug allows viewing of a locked iPhone's contact details

Posted:
in iOS
A bug has been discovered in the way iOS 12.1 handles Group FaceTime calls, one which can allow a hacker to access the details of a contact stored on an iPhone, without needing to unlock the smartphone at all.

Demonstrating the data accessible within Group FaceTime using 3D Touch while the iPhone is locked
Demonstrating the data accessible within Group FaceTime using 3D Touch while the iPhone is locked


The public release of iOS 12.1 allowed iPhone and iPad users to make Group FaceTime calls, which extends the existing FaceTime functionality to allow up to 32 callers to take part in a video conference. While the change increases the caller limit from two, the mechanism to add contacts also appears to be susceptible to abuse, including when the iPhone itself is locked.

Security researcher Jose Rodriguez discovered the issue, reports The Hacker News, which leverages a number of elements in iOS that Apple permits to be used without unlocking the iPhone.

In the video demonstration, the iPhone being attacked is called by a different iPhone, and the call answered. Once connected, Rodriguez transitions the call to a FaceTime video call, then in the bottom right menu selects "Add Person."

By tapping the plus icon, it brings up the device's contact list as part of the process to add a new user. Rather than adding, using 3D Touch on each contact can bring up more details, including email addresses, phone numbers, and other information.





The attack itself will work on all iPhones running iOS 12.1, including the iPhone XS and iPhone XS Max, but seemingly not the iPhone XR. AppleInsider attempted to perform the same test on an iPhone XR, but while the contact list can be brought up while locked, the lack of 3D Touch means the extra contact data is unavailable.

Rodriguez has previously discovered other ways to access contacts and other data from a locked iPhone, with methods revealed in September and October featuring the VoiceOver screen reader feature and, in one case, the Notes app. The latest discovery is a far simpler process and doesn't require VoiceOver to be active, making it usable on a far wider array of devices.

It is worth stressing that this style of attack on a device is very limited in scope. The attacker has to both physically access the device and call it from another iPhone in order to access FaceTime in the first place, and the information that can be gathered only relates to contacts, so a user's private data stored on the iPhone itself is not at risk.

It is likely that Apple will issue a fix for this vulnerability in a future iOS update, but it is unknown how long users may have to wait before it is released.

Comments

  • Reply 1 of 13
    LatkoLatko Posts: 171member
    That is what you get if you pull the feature out of the public beta ... ehh alpha, that is.
    edited November 2018
  • Reply 2 of 13
    You can’t have it both ways...

    You can’t take the calling function and move it outside of the secured area and expect it to remain secure.  I can see why you’d need 911 available, and maybe a “security contact + alternate” available without a login, but that should be it.

    Making the full “Contacts” fully available is just dumb.




    anton zuykovbeowulfschmidt
  • Reply 3 of 13
    After more than a decade's worth of experience with Apple's iOS updates, why anyone would download these things immediately upon release still remains a HUGE mystery to me.
    edited November 2018
  • Reply 4 of 13
    taddtadd Posts: 92member
    is there a way to turn off Facetime calling or Facetime multi-way?  Or make it so one can't accept a call when locked?
  • Reply 5 of 13
    Very limited in scope indeed... 
  • Reply 6 of 13
    thrangthrang Posts: 751member
    Does anyone deeply care? Are they significantly concerned they will have one contact hacked?

    Yeah, yeah, fix it, but jeez... if this is the level of security "concerns", I'm quite happy tbh...
  • Reply 7 of 13
    taddtadd Posts: 92member
    I think it could be a concern.  For instance, on my phone I have the phone#, gate-codes and etc of a famous relative.  Knowing that, a paparazzi might pay to get their hands on my phone just to pull that relative's phone #.  If I were to want to install 5.1, I'd first go take that info out of the contact sheet.   But does the paparazzi or the thieves know that I would take that precaution?  Maybe my phone gets stolen on spec? 

  • Reply 8 of 13
    thrangthrang Posts: 751member
    tadd said:
    I think it could be a concern.  For instance, on my phone I have the phone#, gate-codes and etc of a famous relative.  Knowing that, a paparazzi might pay to get their hands on my phone just to pull that relative's phone #.  If I were to want to install 5.1, I'd first go take that info out of the contact sheet.   But does the paparazzi or the thieves know that I would take that precaution?  Maybe my phone gets stolen on spec? 

    Let us know when you see reports of this vulnerability in the wild...lol...
    chasm
  • Reply 9 of 13
    mac_dogmac_dog Posts: 621member
    tadd said:
    I think it could be a concern.  For instance, on my phone I have the phone#, gate-codes and etc of a famous relative.  Knowing that, a paparazzi might pay to get their hands on my phone just to pull that relative's phone #.  If I were to want to install 5.1, I'd first go take that info out of the contact sheet.   But does the paparazzi or the thieves know that I would take that precaution?  Maybe my phone gets stolen on spec? 
    I’m not sure this is even a concern. Sounds more ego driven than anything else.
  • Reply 10 of 13
    Apple should have hired Rodriguez a long time ago. He seems to be smarter than all the apple “geniuses” put together. 
  • Reply 11 of 13
    chasmchasm Posts: 1,031member
    Let's remember that the attacker must:
    a. have your iPhone in their possession;
    b. must very quickly move to make a FT call before the lockout happens;
    c. must know this particular trick, and
    d. must be able to make use of the data gathered (which is probably incomplete for most contacts)

    Yes, it's a flaw, and yes it should be fixed (which Apple has already done on the XR) but ... puh-lease. The odds of this affecting anyone, anywhere, ever make your winning-the-lottery odds look reasonable.
    edited November 2018
  • Reply 12 of 13
    GaryEm said:
    Apple should have hired Rodriguez a long time ago. He seems to be smarter than all the apple “geniuses” put together. 

    Jose, is that you? :)
  • Reply 13 of 13
    I can't think of any reason anybody would want to do it, so it won't ever happen in the "real world".

    /s
Sign In or Register to comment.