iOS 13 ships with known lockscreen bypass flaw that exposes contacts
Apple released iOS 13 with a bunch of new features. But it also released the new OS with something else: a bug disclosed seven days ago that exposes contact details without requiring a passcode or biometric identification first.
Independent researcher Jose Rodriguez published a video demonstration of the flaw exactly one week ago. It can be exploited by receiving a FaceTime call and then using the voiceover feature from Siri to access the contact list. From there, an unauthorized person could get names, phone numbers, email addresses, and any other information stored in the phone’s contacts list.
Rodriquez’s video was the topic of more than 100 news articles over the past week. Since iOS 13 was in beta when it first appeared, I assumed Apple developers would fix the bypass in time for yesterday’s release. Alas, they didn’t, and it’s not clear why. Apple representatives have yet to respond to a request for comment.
As with all lockscreen bypasses, an exploit requires the attacker to have physical and uninterrupted access to a vulnerable phone. It can’t be exploited remotely by SMS or similar means. But the sole purpose of lockscreens is to protect against brief encounters by untrusted people. While the iPhone has suffered from much worse vulnerabilities—both the recent jailbreak bug regression and the host of actively exploited zeroday flaws come to mind—it’s hard to understand why this one wasn’t fixed before iOS went live.
It wouldn’t be surprising if Apple issued an update soon. Until then, users may be able to mitigate the threat by following instructions here.
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.