Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

New iPhone Passcode Bypass Method Found Days After Patch

A new method that can be used to bypass the iPhone lockscreen and access photos stored on the device was disclosed just days after Apple released a patch for a similar vulnerability.

A new method that can be used to bypass the iPhone lockscreen and access photos stored on the device was disclosed just days after Apple released a patch for a similar vulnerability.

In late September, iPhone enthusiast Jose Rodriguez, known for his YouTube channel videosdebarraquito, discovered yet another method for bypassing the iPhone lockscreen. The technique works on the new iPhone XS running the latest version of Apple’s mobile operating system, iOS 12.

Rodriguez showed how an attacker with physical access to the targeted device could leverage a combination of Siri and the VoiceOver feature to access photos and contacts from the phone.

Apple patched the vulnerability, which it tracks as CVE-2018-4380, on October 8 with the release of iOS 12.0.1.

However, a few days later, on October 12, Rodriguez demonstrated another passcode bypass that worked on iOS 12.0.1 as well.

The newest method also involves Siri and VoiceOver, the accessibility feature that allows individuals with visual impairments to use their Apple device by having the content of the screen and selected buttons read out to them.

Advertisement. Scroll to continue reading.

The attack starts by calling the targeted device. If the phone number is not known, the attacker can have Siri read it out to them. Once the call is made, the hacker selects the Messages icon from the call screen and activates VoiceOver via Siri.

Similar to the previous passcode bypass, VoiceOver is used to navigate through hidden buttons and functions. The buttons are not visible on the screen, but VoiceOver can “see” and activate them. This allows a hacker to gain access to the Photo Library and open recent images stored there.

Compared to the previous bypass, the latest method is easier to replicate and it not only provides access to photos, but also allows the attacker to send the files to another device. In addition, the new technique poses a greater risk as the photos can be sent to a different device in full resolution – the prior hack only provided access to a smaller size preview image.

Apple will likely patch this vulnerability in an upcoming version of iOS.

Related: iPhone 6s Lockscreen Bypass Allows Access to Photos, Contacts

Related: Multiple Passcode Bypass Vulnerabilities Discovered in iOS 9

Related:iOS Lockscreen Bypass Gives Access to Contacts, Photos

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.