Lock Screen Bugs Keep Coming: Apple’s Latest iOS 12.1 Group FaceTime Feature Can Be Exploited to Bypass Passcode
Apple started rolling out iOS 12.1 to iPhones and iPads earlier this week. While the latest update fixed a number of security issues, including privilege escalation flaws, it appears it has also brought in some new problems for users. Jose Rodriguez, a Spanish security researcher known for finding ways to bypass lock screen passcodes, has discovered a bug that exploits Group FaceTime calls to give anyone access to an iPhone's contact information without requiring a passcode.
Like most of the passcode bypass hacks we have seen in the past, this one also requires physical access to the target device. An attacker who has this access can make a call to the target iPhone from another iPhone. If the number isn't known, Siri is always there to help you out (another reason why you should keep it disabled). Once the call connects, an attacker can access the contact information by:
- Selecting the FaceTime icon.
- Selecting Add Person > plus icon.
- The device will ask the attacker to select someone from the address book to add to their ongoing call. While only contact names are displayed, you can use 3D Touch to get access to additional information for each contact stored on the device.
The exploit appears only to be working on the very latest iOS 12.1 since the latest update brought in the Group FaceTime feature that allows you to add other people to your ongoing FaceTime call.
Unlike previous hacks that we have seen exploiting Siri to get access to photos and contact information, this one is pretty straightforward and doesn't need you to go into multiple steps. The hack is quite easy to carry out and puts users in offices or shared spaces at risk.
Rodriguez has become a known name in the iPhone hacking space for discovering several ways to bypass iPhone lock screen to get access to the device data. As for Apple, the company is yet to find a way to put a stop to all the almost-identical methods that people with physical access to the device can use to get access to personal information.