Security gaps in iOS lock screens are nothing new, and it appears iPhone owners have another one on their hands following the release of iOS 12.1.
A new vulnerability in Apple's just-released update allows full access to a device's contacts, and getting there is as simple as attempting a call using Siri.
The reason for the flaw is Group FaceTime — a new feature introduced in iOS 12.1 that allows up to 32 people to join in on the same video or audio call. Because FaceTime supports more than two participants now, you can add other iPhone and iPad users to your conversation mid-call, and it's through that interface that an attacker could access all of your contacts.
The process has been outlined in a YouTube video from user videosdebarraquito. We tested it ourselves with an iPhone XS Max running iOS 12.1, and it happens to be relatively straightforward. If access to Siri via the lock screen is enabled (as it is by default in iOS), an attacker could begin a normal voice call through a voice command, and then transition to FaceTime when the call goes to voicemail.
At that point, the attacker can act as if they're adding a participant, which brings them to a full list of contacts. That screen in and of itself doesn't display specific information, like phone numbers and email addresses, directly next to the listed names. However, if they force touch into an entry, a contextual menu with those details will pop up, with no prompt for a passcode or any form of authentication.
It's a concerning oversight, and one that's not especially new to Apple's phones, where old lock screen security holes appear to be patched up as quickly as new ones are identified. That said, there are caveats. Of course, the attacker would have to get the phone in their hands to carry this out, and Siri must be accessible while the phone is locked.
If you're particularly concerned about this issue, you could circumvent it until Apple delivers a fix by deactivating Siri access from the lock screen. To do this, go to Settings > Siri & Search > and toggle off Allow Siri When Locked.