Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Vulnerability Management, Governance, Risk and Compliance, Compliance Management, Privacy, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Apple iOS 12 passcode bypass allows unauthenticated access to iPhone features

An oversight in Apple's iOS 12  allows unauthorized users to bypass the device’s passcode exposing their photos and contacts, a researcher reported.

Independent researcher Jose Rodriguez posted a demonstration in a Spanish-language YouTube video revealing how an attacker with physical access to a user’s device could partially unlock the person's content as long as Siri is enabled and Face ID is either disabled or physically covered.

While the procedure is somewhat complex and involves more than 30 steps, a dedicated attacker could easily exploit a device running iOS 12 or higher by using Siri to enable voiceover, using another device to call the target device and going to messages. An English version of the attack demonstration is also available.

The attacker must then go through a series of swipes while listening for audio cues from Siri until they are ultimately able to ultimately scroll through photos and see contacts on the device.

Those who fear their device may be vulnerable to this and other attacks can increase their security by disabling Siri from the lock screen by going into Settings/Touch ID & Passcode, scrolling down to the “Allow access when locked” section and ensuring that Siri is disabled.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.