Complex iOS 12 passcode bypasses grant access to iPhone Contacts and Photos

Posted:
in General Discussion edited September 2018
A pair of extremely involved passcode bypasses discovered in Apple's latest iOS 12 can grant attackers access to Contacts and Photo data on a user's iPhone, including models protected by Face ID.




Unearthed by Jose Rodriguez, the exploits are rather complicated, each containing multiple steps involving Siri, Apple's VoiceOver screen reader feature and, in one case, the Notes app. Both methods work on iPhones running the latest version of iOS, including models with Face ID or Touch ID biometric security.

The first of the the two videos posted to Rodriguez's Spanish language YouTube channel explains a vulnerability that allows a potential attacker to bypass both Face ID and Touch ID security protocols.

Demonstrating the process, Rodriguez activates VoiceOver through a Siri request. From there, he calls the target iPhone with a separate device and, with the call dialogue displayed, taps the "Message" button to create a custom text message. Once in Messages, Rodriguez moves the text selector to the "+" symbol, denoting the addition of another contact, then uses the secondary device to text the target iPhone, triggering a notification to appear. Double tapping the screen on the target iPhone while the notification is displayed appears to cause a conflict in the iOS user interface.

Rodriguez confirmed to AppleInsider that the second device is required to perform the bypass.

With the screen now blank, Siri is once again activated and quickly deactivated. The screen remains blank, but VoiceOver's text selection box is seemingly able to access and navigate Messages' user menu. Swiping back through the available options and selecting "Cancel" retrieves the original Messages screen, where a nefarious user can add a new recipient. Selecting a numeral from the soft keyboard brings up recently dialed or received phone numbers and contacts that contain metadata associated to that number.

Going further, the entire address book can be accessed if a displayed contact or number presents an "i," or info, button next to its respective entry. Disabling VoiceOver, again via Siri, and tapping on the "i" icon displays a contact's information. Performing a 3D Touch gesture on the contact avatar brings up options to "Call," "Message," "Add to Existing Contact" or "Create New Contact." Selecting the latter displays a full list of contacts.

Finally, Photos are retrievable by once again enabling VoiceOver and swiping down to "Camera Roll" on an unseen user menu. Navigating through recent photos, screenshots and other folders via gestures and audio cues allows an attacker to assign individual pictures to a contact's user icon.





A second video details a lock screen bypass that, while limited in scope, demonstrates yet another bug exists in Apple's mobile operating system.

Rodriguez again invokes Siri, but this time creates a new note. After adding a picture to the note, he locks the phone and repeats the process. Tapping on the inserted image in the second note presents a media sharing icon that, when selected, brings up a blank share sheets UI. Asking Siri to enable VoiceOver provides access to an unseen menu containing a user's default sharing options.





Apple has yet to address the vulnerabilities in the latest iOS 12.1 beta.

Concerned users can minimize exposure to the apparent bugs by disabling Siri lock screen access in Settings > Face ID & Passcode or Settings > Touch ID & Passcode under the "Allow access when locked" heading. The second attack can be thwarted by enabling password protection for Notes by navigating to Settings > Notes > Password.

Rodriguez discovered a number of lock screen bypasses in past versions of iOS, including an obscure SIM card-related flaw in iOS 6.1.3.
«1

Comments

  • Reply 1 of 24
    I’m now frightened. /s
  • Reply 2 of 24
    mac_dogmac_dog Posts: 1,083member
    Uh...yeah...
    dont have Siri enabled, so this is a non issue. 
    rotateleftbytecornchipmuthuk_vanalingam
  • Reply 3 of 24
    SoliSoli Posts: 10,038member
    I don't get how this same type of bug is still common with iOS after all these years.
    tyler82magman1979cornchipmuthuk_vanalingam
  • Reply 4 of 24
    If Siri is enabled on the lock screen, your phone is not secure anyway.
  • Reply 5 of 24
    Rayz2016Rayz2016 Posts: 6,957member
    bonobob said:
    If Siri is enabled on the lock screen, your phone is not secure anyway.

    True.
    cornchip
  • Reply 6 of 24
    Rayz2016Rayz2016 Posts: 6,957member
    Soli said:
    I don't get how this same type of bug is still common with iOS after all these years.
    These are pretty obscure cases, so I’m more impressed he was able to find them – though “access Siri when the phone is locked” is a good starting point.

     I think the only thing Siri should do with a locked phone is play music, nothing else.
    edited September 2018 Muntzcornchipmuthuk_vanalingam
  • Reply 7 of 24
    Rayz2016 said:
    Soli said:
    I don't get how this same type of bug is still common with iOS after all these years.
    These are pretty obscure cases, so I’m more impressed he was able to find them – though “access Siri when the phone is locked” is a good starting point.

     I think the only thing Siri should do with a locked phone is play music, nothing else.
    Actually the fact he figured out you had to get Siri to enable voiceover, which I had no idea Siri had the ability to turn on and off features on the phone. The key to this hack is the voiceover feature.
    netmage
  • Reply 8 of 24
    I’m now frightened. /s
    The whole world doesn’t revolve around you. For people living under oppressive regimes, journalists, people working for NGO’s, diplomats, business people traveling abroad etc. this can be a legitimate security concern. If theses were issues on an Android device you would no doubt be howling about it ... 😀
    tyler82mac_128cornchipmuthuk_vanalingam
  • Reply 9 of 24
    @EverythingApplelPro demonstrated some of this on YT a couple of days ago.
  • Reply 10 of 24
    sflocalsflocal Posts: 6,136member
    bulk001 said:
    I’m now frightened. /s
    The whole world doesn’t revolve around you. For people living under oppressive regimes, journalists, people working for NGO’s, diplomats, business people traveling abroad etc. this can be a legitimate security concern. If theses were issues on an Android device you would no doubt be howling about it ... 😀
    Not true.  We’d expect it to happen on Android, and it probably is.  That’s why no one makes a fuss about Android’s security problems because everyone knows it’s a joke.

    On the other hand, people have expectations for the iPhone - and Apple.  
    andrewj5790macplusplusnetmageStrangeDayscornchipjony0
  • Reply 11 of 24
    neilmneilm Posts: 1,001member
    Soli said:
    I don't get how this same type of bug is still common with iOS after all these years.
    Yeah, because it's so obvious. I'm sure the exploits will be all over this one.
    [/s]
    andrewj5790
  • Reply 12 of 24
    taddtadd Posts: 136member
    Even though enabling locked-iPhone Siri access seems bad, it is actually still really difficult to read data from the iPhone while it is locked. 
  • Reply 13 of 24
    bulk001 said:
    I’m now frightened. /s
    The whole world doesn’t revolve around you. For people living under oppressive regimes, journalists, people working for NGO’s, diplomats, business people traveling abroad etc. this can be a legitimate security concern. If theses were issues on an Android device you would no doubt be howling about it ... 😀
    🙄🙄🙄
    Rayz2016
  • Reply 14 of 24
    Rayz2016 said:
    Soli said:
    I don't get how this same type of bug is still common with iOS after all these years.
    These are pretty obscure cases, so I’m more impressed he was able to find them – though “access Siri when the phone is locked” is a good starting point.

     I think the only thing Siri should do with a locked phone is play music, nothing else.
    Maybe also call an emergency number? You never know when that might come in handy, and when it does you’ll be happy it was there.
  • Reply 15 of 24
    bulk001 said:
    I’m now frightened. /s
    The whole world doesn’t revolve around you. For people living under oppressive regimes, journalists, people working for NGO’s, diplomats, business people traveling abroad etc. this can be a legitimate security concern. If theses were issues on an Android device you would no doubt be howling about it ... ߘবt;/div>
    With Google, it would be indeed a non-issue, since their whole system is less secure. 
    edited September 2018
  • Reply 16 of 24
    bulk001 said:
    I’m now frightened. /s
    The whole world doesn’t revolve around you. For people living under oppressive regimes, journalists, people working for NGO’s, diplomats, business people traveling abroad etc. this can be a legitimate security concern. If theses were issues on an Android device you would no doubt be howling about it ... 😀
    They're already there (most Android phones sold have old Android versions with huge security holes), just no one gives a shit seemingly. It is expected.
  • Reply 17 of 24
    bulk001 said:
    I’m now frightened. /s
    The whole world doesn’t revolve around you. For people living under oppressive regimes, journalists, people working for NGO’s, diplomats, business people traveling abroad etc. this can be a legitimate security concern. If theses were issues on an Android device you would no doubt be howling about it ... ߘবt;/div>
    They should not have any function accessible from the locked screen, without typing in a passcode. Period!

    "If theses were issues on an Android device you would no doubt be howling about it ... ߘবt;/span>"
    Given the fact that the majority of Android phones have removable SD cards for memory, not encrypted storage and no secure enclave to store highly sensitive data, you should not be bringing up this remark at all...
    edited September 2018
  • Reply 18 of 24
    Such a complex sequence of actions that let you into any iPhone. Gee. Almost seems like some sort of an intended hard to find “key” that could have been designed into the system to allow, well, maybe governments to get into phones they have been screaming for access to? After all, what’s more important to a company than access to profits which a government could hinder by placing, let’s say, tariffs on imports of their products as one example.
    cornchipmac_128
  • Reply 19 of 24
    MplsPMplsP Posts: 4,043member
    Rayz2016 said:
    Soli said:
    I don't get how this same type of bug is still common with iOS after all these years.
    These are pretty obscure cases, so I’m more impressed he was able to find them – though “access Siri when the phone is locked” is a good starting point.

     I think the only thing Siri should do with a locked phone is play music, nothing else.
    This was my thought as well. Reading though the description, just following the steps to do the hack is a feat!
  • Reply 20 of 24
    taddtadd Posts: 136member
    microbe said:
    Such a complex sequence of actions that let you into any iPhone. Gee. Almost seems like some sort of an intended hard to find “key” that could have been designed into the system to allow, well, maybe governments to get into phones they have been screaming for access to? After all, what’s more important to a company than access to profits which a government could hinder by placing, let’s say, tariffs on imports of their products as one example.
    Except that this sequence wouldn't be necessary at all if the customer let the phone unlocked, and this sequence is completely blocked if the customer doesn't have SIRI enabled while locked.  Really, this vulnerability is an edge case.  It only affects phones that are both locked and have SIRI enabled-while-locked.    
    cornchip
Sign In or Register to comment.