Apple recently fixed a vulnerability that could be used to bypass the iPhone lock screen with its release of iOS 12.0.1 last week. However, Jose Rodriguez, an iOS enthusiast known for finding ways to break into the iPhones, has revealed yet another problem.
Rodriguez had disclosed a vulnerability - tracked as CVE-2018-4380 - to bypass the iPhone lock screen last month. Since the method worked on the latest iOS versions and on the newest of iPhones, Apple was quick to patch the flaw in its latest security update.
"A lock screen issue allowed access to photos and contacts on a locked device. This issue was addressed by restricting options offered on a locked device." - Apple
However, Rodriguez has disclosed yet another similar problem that exploits an unpatched bug in VoiceOver to gain unauthorized access to photos on an iPhone.
How this latest iPhone hack works
The latest way to get into an iPhone to access its photos uses the ever-compliant Siri and a VoiceOver bug (via AppleInsider). We have seen Siri being involved in numerous similar such hacks where it's used to get unauthorized access to an iPhone if someone has physical access to the device.
This latest attack works something like this:
- You make a call to the target iPhone.
- Phone number isn't known? Don't worry, just ask Siri to read it out for you.
- On the call screen, Rodriguez selects the Messages icon and activates VoiceOver via Siri.
- Using this newly activated VoiceOver, a hacker can navigate through hidden UI functions and activate them.
- Back to Messages, hacker taps on the Camera icon, invokes Siri, double taps the screen, and apparently, a bug has been exploited that could be used to insert multiple images into the Messages text box and sent to the attacker's device. Notice that the hacker can't actually see the photostream but can randomly tap to select an image, view and decide to send it or choose another.
Didn't get any of that? Don't worry. Rodriguez has shared a pretty useful proof-of-concept that you can follow to try this hack on your own iPhone - you will need two devices for this to work.
This new VoiceOver bug works on the very latest iOS version 12.0.1 and the brand new iPhone XS. As recommended previously, users can disable Siri's access on the lock screen through Settings > Touch ID & Passcode > uncheck Siri under "Allow access when locked."
Apple is likely to address this latest iPhone hack in an upcoming release.