A few hours after Apple released iOS 12.1, a researcher presented a Passcode Bypass issue

A few hours after Apple released iOS 12.1 the iPhone bug hunter Jose Rodriguez has found a new passcode bypass issue that could be exploited to see all contacts’ private information on a locked iPhone.

“Jose Rodriguez, a Spanish security researcher, contacted The Hacker News and confirmed that he discovered an iPhone passcode bypass bug in the latest version of its iOS mobile operating system, iOS 12.1, released by Apple today.” reads a post published by THN.

Like other passcode bypass flaws discovered by the researcher also this one is very simple to exploit.

Rodriguez published a video PoC that show how the passcode bypass works.

The new passcode bypass attack doesn’t leverage on Siri or VoiceOver screen reader feature enabled on a target iPhone.

• Call the target iPhone from any other iPhone (if you don’t know the target’s phone number, you can ask Siri “who I am,” or ask Siri to make a call to your phone number digit by digit), or use Siri to call on your own iPhone.
• As soon as the call connects, initiate the “Facetime” video call from the same screen.
• Now go to the bottom right menu and select “Add Person.”
• Press the plus icon (+) to access the complete contact list of the targeted iPhone, and by doing 3D Touch on each contact, you can see more information.

“In a passcode-locked iPhone with latest iOS released today Tuesday, you receive a phone call, or you ask Siri make a phone call (can be digit by digit), and, by changing the call to FaceTime you can access to the contact list while adding more people to the Group FaceTime, and by doing 3D Touch on each contact you can see more contact information,” Rodriguez told The Hacker News.

Also, it should be noted that since the attack utilizes Apple’s Facetime, the hack would only work if the devices involved in the process are iPhones.

Unfortunately, at the time, there is no workaround to address the issue.

Rodriguez has recently other similar issued in Apple devices, in October he first discovered a passcode bypass vulnerability in Apple’s new iOS version 12 that could have been exploited to access photos, contacts on a locked iPhone XS.

The researcher also disclosed a new passcode bypass flaw that could have been exploited to access photos and contacts on a locked iPhone XS.

Pierluigi Paganini

(Security Affairs – passcode bypass flaw, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]