Apple keeps releasing iOS updates and Spanish researcher José Rodríguez keeps finding new ways to bypass each version’s lockscreen security.
This week’s target was iOS 12.1, which appeared on Tuesday. By Wednesday, Rodríguez had posted a YouTube video showing how the lockscreen could be beaten with the help of Siri and Facetime to reveal the device’s contact phone numbers and email addresses. Apart from having physical access to the target iPhone, all an attacker would need is the phone number of the target (if they don’t know the number, they can just ask Siri “who am I?” from the target phone). The attacker would then:
- Pick up the call
- Initiate FaceTime from the call menu screen
- Swipe up and enable airplane mode
- Immediately tap the (…) icon (for iOS 12.1.1 swipe up on the panel at the bottom)
- Tap “Add Person”
- Tap the (+) icon
Hey presto! They can scroll though the contact information. Just to get ahead of Apple’s security team, the method even reportedly works on the beta for the forthcoming iOS 12.1.1. Rodríguez’s lockscreen bypasses have become an uncomfortable fixture lately.
Until Apple posts a fix, you can mitigate the flaw by disabling Siri’s VoiceOver lockscreen access: go to
Settings →
Siri & Search and turn off
Allow Siri when locked.