Apple’s iOS security team must be starting to feel as if they’re being besieged by security sleuth José Rodríguez. In his latest YouTube proof-of-concept, the Spaniard demonstrates how an attacker with physical access to an Apple device running iOS 12.0.1 (including the latest X and XS models) can gain access to photos stored on it.
The bypass needs 13 steps and requires good timing but at the end of the process, photos can be extracted by selecting and sending them to any number. Embarrassingly, Apple released iOS 12.0.1 last week to address a range of issues that had cropped up with iOS 12, including
two separate lock screen bypass flaws publicised by Rodríguez in late September. Admittedly, one of these was more serious because it allowed access to a device’s contacts, emails, telephone numbers, and photos, but at 37 steps it was also a lot trickier to pull off than his latest compromise. The root cause of the issue is the same in all of these – namely using Siri to activate VoiceOver to perform certain tasks without having to unlock the phone.
Apple will no doubt add the latest bypass to its fix list for the iOS 12.1 update later this month but until then mitigating the problem can be achieved by disabling Siri’s lock screen access: go to
Settings →
Siri & Search and turn off
Allow Siri when locked.