Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

New iPhone Passcode Bypass Method Found Days After Patch

A new method that can be used to bypass the iPhone lockscreen and access photos stored on the device was disclosed just days after Apple released a patch for a similar vulnerability.

A new method that can be used to bypass the iPhone lockscreen and access photos stored on the device was disclosed just days after Apple released a patch for a similar vulnerability.

In late September, iPhone enthusiast Jose Rodriguez, known for his YouTube channel videosdebarraquito, discovered yet another method for bypassing the iPhone lockscreen. The technique works on the new iPhone XS running the latest version of Apple’s mobile operating system, iOS 12.

Rodriguez showed how an attacker with physical access to the targeted device could leverage a combination of Siri and the VoiceOver feature to access photos and contacts from the phone.

Apple patched the vulnerability, which it tracks as CVE-2018-4380, on October 8 with the release of iOS 12.0.1.

However, a few days later, on October 12, Rodriguez demonstrated another passcode bypass that worked on iOS 12.0.1 as well.

The newest method also involves Siri and VoiceOver, the accessibility feature that allows individuals with visual impairments to use their Apple device by having the content of the screen and selected buttons read out to them.

The attack starts by calling the targeted device. If the phone number is not known, the attacker can have Siri read it out to them. Once the call is made, the hacker selects the Messages icon from the call screen and activates VoiceOver via Siri.

Similar to the previous passcode bypass, VoiceOver is used to navigate through hidden buttons and functions. The buttons are not visible on the screen, but VoiceOver can “see” and activate them. This allows a hacker to gain access to the Photo Library and open recent images stored there.

Advertisement. Scroll to continue reading.

Compared to the previous bypass, the latest method is easier to replicate and it not only provides access to photos, but also allows the attacker to send the files to another device. In addition, the new technique poses a greater risk as the photos can be sent to a different device in full resolution – the prior hack only provided access to a smaller size preview image.

Apple will likely patch this vulnerability in an upcoming version of iOS.

Related: iPhone 6s Lockscreen Bypass Allows Access to Photos, Contacts

Related: Multiple Passcode Bypass Vulnerabilities Discovered in iOS 9

Related:iOS Lockscreen Bypass Gives Access to Contacts, Photos

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Kenna Security co-founder Ed Bellis has joined Empirical Security as Chief Executive Officer.

Robert Shaker II has joined application security firm ActiveState as Chief Product and Technology Officer.

MorganFranklin Cyber has promoted Nick Stallone and Ferdinand Hamada into newly created roles.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.