iPhone Passcode Bypass Discovered Exposing Contacts and Photos

A new iPhone passcode bypass which could allow unrestricted access to a user’s contacts and photos has surfaced.

The exploit was first discovered by Jose Rodriguez, an iPhone enthusiast and taxi driver who has found several other passcode exploits in the past. Rodriguez published a Spanish-language video detailing the method on his YouTube channel, Videosdebarraquito.

Another YouTube channel, EverythingApplePro, also demonstrated the exploit in an English video published shortly after Rodriguez’s.

Notably, the vulnerability appears to affect all Apple handsets — including the latest iPhone XS and iPhone XS Max — which can run the newest software. That includes iOS 12 and the most recent beta versions of iOS 12.1.

To be clear, the bypass flaw isn’t exactly easy to exploit. It requires a complicated 37-step process and takes advantage of Siri and the VoiceOver accessibility feature. Of course, it also requires physical access to a device and that Siri on the Lock screen is enabled.

Interestingly, Face ID needs to be disabled or the TrueDepth Camera physically covered for the bypass flaw to work properly.

But once the exploit is used, an attacker can gain full unauthenticated access to user’s contacts list, which includes phone numbers, email addresses and other data in a contact card.

An exploiter can go a step further and attempt to gain access to a user’s Camera Roll. While this is even a bit more complicated, it’s perfectly possible for an attacker with enough time and effort to access a user’s private images.

What Should I Do?

If you’re concerned about an attacker getting access to your contacts or photos, there are a few things you can do to protect yourself until Apple addresses the issue.

For one, keep Face ID enabled and don’t let your phone out of your sight for too long.

But to completely mitigate any risk of the vulnerability, the best option is to disable access to Siri on the Lock screen. Keep in mind this will ultimately hinder your full enjoyment of iOS 12’s Siri capabilities.

1. You can do that by going to Settings
2. Then Face ID & Passcode (or Touch ID & Passcode).
3. From there, scroll down and switch the toggle next to Siri under the Allow access when locked header.

Passcode bypass exploits like this one are routinely found in new versions of Apple’s mobile operating system, but they tend to be patched pretty quickly. Expect a fix to come in an upcoming update to iOS 12.