Apple has always been big on security, but the company’s iOS software invariably gets hoodwinked by clever users who have a lot of time on their hands to find obscure bugs. A researcher has discovered a big flaw in iOS 12 which lets anyone bypass an iPhone’s lock screen and take a look at its contacts and photos.
The vulnerability was first discovered by Jose Rodriguez. He detailed the hack in a Spanish-language video about a week ago. YouTuber EverythingApplePro later demonstrated the method in an English-language video. The bad news – the attack works on any iPhone running iOS 12, including the iPhone XS.
The good news – it’s extremely complicated and would take a lot of effort to see through. This takes care of casual pranksters, but serious hackers might just take a crack at it. As pointed out by Naked Security, the bypass requires physical access to a pair of iPhones for an extended period of time.
The person doing the hacking will have to complete 16 steps to see contacts, emails, and numbers. An extra 21 steps will allow them to peek into photos, as long as Face ID is either switched off or taped over. The main flaw allowing all this to happen is Siri. This isn’t surprising since the voice assistant is usually the weak link when it comes to iPhone security.
Also Read: iOS 12.1 beta arrives with ChargeGate fix, dual-SIM support, 70 new emoji
Siri has the ability to carry out commands even when an iPhone is locked. The hack takes advantage of this to crack open the handset and rifle through contacts, photos, and numbers with nothing more than some text messages, a few swipes, and a lot of patience.
iOS 12 Hack Solution
The obvious solution to this would be to ban Siri from the lock screen. You can do so by going to Settings > Face ID & Passcode or Settings > Touch ID & Passcode and disabling “Allow Access When Locked” for Siri. You can alternatively head to Settings > Siri & Search and disable “Allow Siri When Locked.”
Apple will probably address this flaw in a future iOS update. iOS 12.1 is due any day now, so the vulnerability might just get fixed in that build.