An oversight in Apple's iOS 12 allows unauthorized users to bypass the device’s passcode exposing their photos and contacts, a researcher reported.
Independent researcher Jose Rodriguez posted a demonstration in a Spanish-language YouTube video revealing how an attacker with physical access to a user’s device could partially unlock the person's content as long as Siri is enabled and Face ID is either disabled or physically covered.
While the procedure is somewhat complex and involves more than 30 steps, a dedicated attacker could easily exploit a device running iOS 12 or higher by using Siri to enable voiceover, using another device to call the target device and going to messages. An English version of the attack demonstration is also available.
The attacker must then go through a series of swipes while listening for audio cues from Siri until they are ultimately able to ultimately scroll through photos and see contacts on the device.
Those who fear their device may be vulnerable to this and other attacks can increase their security by disabling Siri from the lock screen by going into Settings/Touch ID & Passcode, scrolling down to the “Allow access when locked” section and ensuring that Siri is disabled.