iOS is renowned for having good security, but that doesn't mean the system is flawless. A novel, albeit not devastating, passcode bypass could let anyone with physical access to your iPhone see your entire contact list and their associated photos.
By taking advantage of a flaw in the way Siri, the contact list and the esoteric VoiceOver mode interact, a dedicated attacker could learn the names and contact information for every friend, coworker and loved one in your iPhone, plus whatever images you use to represent them.
The good news is that there's a very easy way to prevent anyone from taking advantage of this bypass: Don't lend your phone to anyone, unless you trust him or her implicitly. (And, obviously, don't let your phone get stolen.) The flaw takes a good minute or two to exploit and requires a user to have your phone in hand in a quiet environment.
The information comes from Spanish hacker Jose Rodriguez, who runs videosdebarraquito, an iPhone enthusiast channel on YouTube and Instagram. In a video entitled "Passcode Bypass iOS 12 (1-Call)," Rodriguez demonstrates how to access a user's contact list, even when the phone is locked down tight behind a passcode.
Security news website Threatpost checked Rodriguez's work and discovered that the flaw works on iOS 12 and the iOS 12 beta on an iPhone XS. It's likely that this method can compromise all up-to-date iPhones, including the brand-new iPhone XS Max and XR as well as the XS. (Rodriguez himself uses an older Touch ID-enabled model in his demonstration video.)
But if you're curious how it works, Rodriguez discovered a rather clever exploit. Even when an iPhone is locked, a user can invoke Siri by tapping twice on the home button. Siri won't let you access sensitive information this way, but one thing you can do is ask Siri to turn on the phone's VoiceOver mode.
VoiceOver helps vision-impaired users by announcing whatever's currently highlighted on the screen: "Text message notification," for example, if someone sends you a text and you have notifications enabled at the top of your screen.
Using VoiceOver mode, Rodriguez was able to answer to an incoming phone call by using Message. However, VoiceOver mode does something funny. If you choose to "personalize" your messaging options, you can scroll through a blank screen, where your contact names and numbers would normally be.
This doesn't present a risk in and of itself, but users can then scroll to the top of the screen and select the text field to write in a contact's name. This is where the bypass comes in: If you write a letter or a number, the iPhone will show you all contacts with that letter or number included in them. From there, it's a matter of selecting a contact, tapping "Add information to existing contact," and being able to access a user's entire contact list.
None of this is simple. To pull this off, you'd first need to tape over or disable the Face ID camera on an iPhone X, XS, XR or XS Max, or just use a Touch ID iPhone. You'd also need another phone to call or FaceTime the targeted iPhone at exactly the right moment in your passcode-bypass process.
And what a long process it is: The GadgetHacks website enumerated 37 separate steps in Rodriguez's hack, although GadgetHacks confirmed that it does indeed work.
IN any case, a successful bypasser would have access to every name, phone number and email address in your contact list. In all likelihood, this includes professional contacts, close friends and loved ones, all of whom could make easy scam targets.
What's also troubling is that if you have a photo attached to a contact, the attacker will be able to see that too. This isn't as damning as being able to access your entire photo library, but the attacker will know what many of your friends and family look like. If you have a lewd photo saved for a contact, of course, an attacker can see that as well.
It's worth pointing out that while this security hole is troubling, it's hardly catastrophic. There is no evidence that anyone could use this method to gain full access to your phone, nor is there any indication that anyone's tried to exploit it in the wild.
Tom's Guide has reached to Apple for comment. Whether or not we get a reply, the flaw will probably be addressed soon. Until then, keep your phone where you can see it.