Almost as soon as Apple released iOS 12.1 on Tuesday, a Spanish security researcher discovered a bug that exploits group Facetime calls to give anyone access to an iPhone users’ contact information with no need for a passcode.
Jose Rodriguez discovered the iOS exploit and first sent the information to The Hacker News. He’s uploaded a video (embedded below) to YouTube demonstrating how the passcode bypass works and Gizmodo has verified that all the conditions he outlines are legitimate.
A bad actor would need physical access to the phone that they are targeting and has a few options for viewing the victim’s contact information. They would need to either call the phone from another iPhone or have the phone call itself. Once the call connects they would need to:
-
Select the Facetime icon
-
Select “Add Person”
-
Select the plus icon
-
Scroll through the contacts and use 3D touch on a name to view all contact information that’s stored.
Making the phone call itself without entering a passcode can be accomplished by either telling Siri the phone number or, if they don’t know the number, they can say “call my phone.” We tested this with both the owners’ voice and a strangers voice, in both cases, Siri initiated the call.
This isn’t a critical security flaw and a random hacker would have some hurdles to clear for this to be of any use, but it could put domestic abuse victims or political dissidents at risk. A truly dedicated hacker could use email and phone number information from a victim’s network to construct a more elaborate hacking campaign through techniques such as phishing.
We’ve contacted Apple for comment on the issue but did not receive a reply. We’ve seen virtually identical methods used to bypass the lockscreen in previous versions of iOS and there’s not a whole lot that anyone can do about it until Apple decides to add a fix in future updates.
Until then, you could disable Siri to add an extra level of protection but that won’t solve the whole problem.