This iOS 12.1 Group FaceTime Hack Allows Full Access to Contacts
Credit: YouTube / Videosdebarraquito Toggle Dark Mode
Another iOS update, another Lock screen exploit that could be used to access sensitive data.
iPhone enthusiast and prolific vulnerability hunter Jose Rodriguez has discovered a new bug in Apple’s latest iOS 12.1 update that could give a malicious entity access to your contacts without inputting a passcode.
Rodriguez detailed the exploit in a Spanish-language YouTube video he posted to his channel on Oct. 30
As with most other Lock screen exploits, this method requires that an attacker has physical access to a target iPhone, as well as another iPhone nearby. But the vulnerability itself is fairly easy to take advantage of. Specifically, it exploits what appears to be a flaw in Group FaceTime.
First, the attacker calls the target iPhone.
Then, they would tap on FaceTime and Add Person.
From there, they can select the Plus icon to see a list of contacts and use 3D Touch to access all of the data stored in a contact card.
What Can I Do to Prevent This?
Although users likely won’t be affected by this security loophole, you can safeguard yourself by disabling access to Siri when your device is locked. Note that disabling Siri while locked will inherently block you from using one of iOS’ more useful features.
- Open Settings.
- Tap Face ID & Passcode.
- Disable Siri under Allow access when locked.
It isn’t clear, however, if the same method can be used when the target iPhone receives a phone call. If that’s the case, then disabling Siri from the Lock screen won’t do anything to mitigate the attack.
Of course, Apple is likely to patch the security vulnerability in a future iOS 12.X update. So just keep an eye on your iPhone in the meantime if you’re worried about this hack.
This is far from the first vulnerability that Rodriguez has discovered, he found similar Lock screen bypasses in iOS 12 and iOS 12.0.1 almost immediately after they were released.
But he’s been finding exploits in Apple’s software since at least 2016. If they haven’t already, someone needs to offer Rodriguez a job as a security researcher.
