It’s only been a few hours since Apple releases iOS 12.1 and an iPhone enthusiast has managed to find a passcode bypass hack, once again, that could allow anyone to see all contacts’ private information on a locked iPhone.

If you require Digital Forensic assistance in gaining access to PIN or Password Locked iPhone or Samsung handsets get in touch now – Advanced Data Recovery

Almost as soon as Apple released iOS 12.1 on Tuesday, a Spanish security researcher discovered a bug that exploits group Facetime calls to give anyone access to an iPhone users’ contact information with no need for a passcode.

Jose Rodriguez discovered the iOS exploit and first sent the information to The Hacker News. He’s uploaded a video (embedded below) to YouTube demonstrating how the passcode bypass works and Gizmodo has verified that all the conditions he outlines are legitimate.

A bad actor would need physical access to the phone that they are targeting and has a few options for viewing the victim’s contact information. They would need to either call the phone from another iPhone or have the phone call itself. Once the call connects they would need to:

  • Select the Facetime icon
  • Select “Add Person”
  • Select the plus icon
  • Scroll through the contacts and use 3D touch on a name to view all contact information that’s stored.

Making the phone call itself without entering a passcode can be accomplished by either telling Siri the phone number or, if they don’t know the number, they can say “call my phone.” We tested this with both the owners’ voice and a strangers voice, in both cases, Siri initiated the call.

This isn’t a critical security flaw and a random hacker would have some hurdles to clear for this to be of any use, but it could put domestic abuse victims or political dissidents at risk. A truly dedicated hacker could use email and phone number information from a victim’s network to construct a more elaborate hacking campaign through techniques such as phishing.

We’ve contacted Apple for comment on the issue but did not receive a reply. We’ve seen virtually identical methods used to bypass the lockscreen in previous versions of iOS and there’s not a whole lot that anyone can do about it until Apple decides to add a fix in future updates. Until then, you could disable Siri to add an extra level of protection but that won’t solve the whole problem.

Jose Rodriguez, a Spanish security researcher, contacted The Hacker News and confirmed that he discovered an iPhone passcode bypass bug in the latest version of its iOS mobile operating system, iOS 12.1, released by Apple today.

To demonstrate the bug, Rodriguez shared a video with The Hacker News, as shown below, describing how the new iPhone hack works, which is relatively simple to perform than his previous passcode bypass findings.

Instead, the issue resides in a new feature, called Group FaceTime, introduced by Apple with iOS 12.1, which makes it easy for users to video chat with more people than ever before—maximum 32 people.

How Does the New iPhone Passcode Bypass Attack Work?

Unlike his previous passcode bypass hacks, the new method works even without having Siri or VoiceOver screen reader feature enabled on a target iPhone, and is trivial to execute.

Here are steps to execute the new passcode bypass hack:

  • Call the target iPhone from any other iPhone (if you don’t know the target’s phone number, you can ask Siri “who I am,” or ask Siri to make a call to your phone number digit by digit), or use Siri to call on your own iPhone.
  • As soon as the call connects, initiate the “Facetime” video call from the same screen.
  • Now go to the bottom right menu and select “Add Person.”
  • Press the plus icon (+) to access the complete contact list of the targeted iPhone, and by doing 3D Touch on each contact, you can see more information.

“In a passcode-locked iPhone with latest iOS released today Tuesday, you receive a phone call, or you ask Siri make a phone call (can be digit by digit), and, by changing the call to FaceTime you can access to the contact list while adding more people to the Group FaceTime, and by doing 3D Touch on each contact you can see more contact information,” Rodriguez told The Hacker News.

Also, it should be noted that since the attack utilizes Apple’s Facetime, the hack would only work if the devices involved in the process are iPhones.


The new passcode bypass method seems to work on all current iPhone models, including iPhone X and XS devices, running the latest version of the Apple mobile operating system, i.e., iOS 12.1.

Since there’s no workaround to temporarily fix the issue, users can just wait for Apple to issue a software update to address the new iPhone passcode bypass bug as soon as possible.

Rodriguez has previously discovered a series of iPhone passcode bypass hacks. Around two weeks ago, he found an iPhone bypass hack that works in 12.0.1 and takes advantage of Siri and VoiceOver screen reader to get through your phone’s defenses, allowing attackers to access photos and contacts on a locked iPhone.

Rodriguez discovered a similar bug in iOS 12 in late last month that also takes advantage of Siri and VoiceOver screen reader, and allows attackers with physical access to your iPhone to access your contacts and photos.

 

Pin It on Pinterest

Share This