Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

iOS Lockscreen Bypass Gives Access to Contacts, Photos

Apple’s upcoming updates for iOS will likely include a fix for a new lockscreen bypass technique that can be used to access contact information and photos on locked iPhones and iPads.

Apple’s upcoming updates for iOS will likely include a fix for a new lockscreen bypass technique that can be used to access contact information and photos on locked iPhones and iPads.

The method, discovered by the individuals behind the EverythingApplePro and iDeviceHelp channels on YouTube, requires physical access to the targeted device and Siri enabled on the lockscreen.

First, the attacker needs to figure out the device’s phone number, which can easily be obtained by asking Siri “Who am I?” from the lockscreen. Once Siri provides the number, the attacker initiates a voice or FaceTime call to the targeted device from another phone.

When the call comes in, the attacker presses the “Message” icon and selects the “Custom” option. The iPhone or the iPad will then display a “new message” screen. There is not much a user can do from this screen, but there is a “trick” — the attacker can use Siri to activate the “VoiceOver” accessibility feature, and then double tap and hold the “to” field in the “new message” screen and immediately tap on the keyboard until some new icons appear.

This part of the exploit is not very reliable — the double tap on “to” and the tap on the keyboard may need to be repeated several times until the new icons appear. The VoiceOver feature can then be disabled using Siri.

At this point, typing any letter from the keyboard will bring up contacts under that letter. By pressing the ⓘ icon associated with a contact, the attacker can access that contact’s information and they also get a menu that includes the “Create New Contact” option.

By creating a new contact and tapping the “add photo” icon, the attacker gains access to the targeted iPhone or iPad’s photo gallery. It’s worth noting that the device remains locked this entire time, but the lockscreen bypass does provide access to contact details and photos.

The vulnerability appears to affect all versions of iOS starting from 8.0 and up to the latest 10.2. Both EverythingApplePro and iDeviceHelps have published videos to show how the passcode bypass method works on various types of Apple devices:

Advertisement. Scroll to continue reading.

Until Apple releases an iOS update that addresses the issue, users can protect themselves against this hack by disabling Siri on the lockscreen.

Several iOS passcode bypass exploits have been disclosed in the past months, including by researchers at Germany-based Vulnerability Lab.

Related Reading: Researcher Proves FBI Wrong With iPhone Passcode Hack

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Cloud security giant Wiz has named Fazal Merchant as President and Chief Financial Officer.

Cybersecurity and data protection company Acronis has appointed Gerald Beuchelt as CISO.

Adam Zoller has joined CrowdStrike as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.