A new passcode vulnerability could allow attackers to bypass your iPhone lock screen and access photos and contacts.
To perform the bypass, an attacker would need physical access to the locked device. First, the attacker would have to activate VoiceOver using Siri. Then the attacker would sleep the iPhone with the side button and call it with another phone.
When the first phone receives the call, the attacker would press the message button, select the ‘Custom’ message option and then tap the ‘+’ icon in the top right corner.
Using another phone, the attacker must then send a text or iMessage to the target phone. When the notification pops up, the attacker double taps it. This causes a weird behaviour in the UI, highlighting the ‘+’ icon beneath the notification.
After a short wait, the screen will go white, and the notification will disappear. However, the VoiceOver selection box is still tappable. An attacker can use it to navigate an unseen Messages interface. Attackers must swipe the screen, selecting different interface elements until the VoiceOver box moves under the notch. VoiceOver will say cancel. Selecting that will reveal the original Messages screen.
Then, if an attacker adds a new recipient to the message and enters any numeral from the keyboard, Messages will reveal a list of recently dialled or received phone numbers and contacts. Additionally, if the attacker disables VoiceOver and taps the ‘i’ info button beside any of the contacts in the list, it will show the contact information.
Finally, 3D Touching on the contact brings up call and message options, as well as options to create a new contact or add it to an existing contact.
From here, the attacker can follow a similarly convoluted set of steps that allows access to the iPhone’s Camera Roll and other photo folders.
Currently, the bypass works on all iPhones running iOS 12. It even affects the new iPhone XS and XS Max. Furthermore, it appears Apple hasn’t fixed it in the iOS 12.1 beta.
However, users can protect themselves by merely disabling Siri access on the lock screen.