iOS 12 passcode bypass flaws give access to photos and contacts

A new security flaw discovered in iOS 12 allows users to bypass passcode and gain access to contacts and photos on iPhone. Through a few complex steps which include Siri, voice over, phone call and messages, a hacker can potentially gain access to the contents of a locked iPhone. Similar steps can be followed, but with the notes app too. This is not the first time that a passcode bypass has been discovered in a new iOS release, and if history is an indication, it definitely will not be the last.

iOS 12 passcode bypass

Every year Apple seems to leave behind some flaw that is discovered and later fixed by the company. These latest ones in iOS 12 has been discovered by Jose Rodriguez, who has been discovering passcode bypass flaws since iOS 5.

Here’s how Jose bypassed passcode on iOS 12, on an iPhone:

Using phone call:

  • Ask Siri to activate VoiceOver
  • Lock the device and call it using another phone
  • When the iPhone rings, tap the message button and tap on custom message
  • In custom message compose screen, tap the + sign on the top right
  • A message is sent from another phone to the iPhone
  • Double tap the message notification on iPhone
  • After notification goes away, the screen turns white
  • Swipe on the screen to reach a cancel button and tap it, and it opens Messages again
  • The To: field will now list all contacts when they keyboard is used
  • If a recent contact is saved in contacts, full details of that contact can be seen
  • From here, the profile pictures of contacts can be used to access device photos, again using an invisible menu via VoiceOver

Using Notes:

  • Ask Siri to create a Note
  • Tap on the Note
  • Take a photo using the camera and edit it in markup
  • Click the share button and it’ll show up but with blank fields
  • Ask Siri to enable VoiceOver
  • Using swipe gestures, navigate through an invisible menu and VoiceOver will name all of them

These security flaws are present even on the latest iPhone XS and in iOS 12.1 beta 1. Since iPads also support FaceTime calls and iMessage, these security flaws likely impact them too.

Apple has not addressed these flaws publicly yet so we are not exactly sure when a fix will roll out. Until then, to secure your device, disable Siri on lockscreen. This can be done by going to Settings > Face ID & Passcode on your iOS device and disabling the toggle for Siri under allow access when locked.

With charging issues, skin smoothing and now these security flaws, iOS 12.0.1, if not the final iOS 12.1 version, should be coming out very soon.