Complex Passcode Bypass Method Exposes iPhone Contacts and Photos in iOS 12

[purplehaze0]

A passcode bypass vulnerability has been discovered in iOS 12 that potentially allows an attacker to access photos and contact details on a locked iPhone.

The rather convoluted bypass method was shared in a video by Jose Rodriguez, who has discovered iOS bugs in the past that Apple has subsequently fixed.

With physical access to the locked device, the attacker first asks Siri to activate VoiceOver, sleeps the device with the Side button, and then calls the iPhone using another device. Once the call screen shows up, the attacker taps the Message button, opts to create a custom message, and then taps the plus (+) icon in the top right.

Next, on the other phone, the attacker sends a text or iMessage to the target iPhone, whose screen is then double-tapped when the message notification appears. This causes an odd behavior in the UI, since it highlights the plus icon underneath.

After a short wait, the screen goes white and the notification disappears, but the VoiceOver's text selection box is apparently still tappable and can now be used to access the Messages interface. Following multiple screen swipes, the VoiceOver is heard to say "Cancel," which reveals the original Messages screen.

Adding a new recipient to the message and selecting a numeral from the virtual keyboard then reveals a list of recently dialed or received phone numbers and contacts. Further, if one of the numbers or contacts includes an info ("i") button, disabling VoiceOver and tapping the button shows the contact's information. Performing a 3D Touch action on the contact also brings up call and message options, along with options to Add to Existing Contact or Create New Contact.

In a similarly complicated set of steps involving an invisible user menu, an attacker can eventually access a locked iPhone's Camera Roll and other photo folders, which can then be used to add profile pictures to contact cards.

The bypass methods work on all iPhones including the iPhone XS lineup, but Apple doesn't appear to have fixed the vulnerabilities in the latest iOS 12.1 beta. Thankfully however, all of the above can be easily prevented by disabling access to Siri from the lock screen.

Concerned users can do so by navigating to Settings > Face ID & Passcode (that's Settings > Touch ID & Passcode on iPhones with Touch ID) and disabling the Siri toggle under the "Allow access when locked" menu.

Article Link: Complex Passcode Bypass Method Exposes iPhone Contacts and Photos in iOS 12

This is so obvious, how was it not identified pre release.

 

[C DM]

I mean he’d have to turn it on eventually, right? If you requested find my iphone to lock it in lost mode wouldn’t it have bricked when they turned it on?

Not if it didn't have a connection (a SIM can easily be removed, and WiFi wouldn't connect until the phone is unlocked and is by a known WiFi network).

 

[Zerilos]

What’s with the pen tapping?

To avoid unlocking phone with fingerprint.

 

[Justanotherfanboy]

Did you put the phone in lost mode and was your phone backed up?

Yes to both, so I’m VERY grateful for those options!!!
[doublepost=1538271991][/doublepost]

I mean he’d have to turn it on eventually, right? If you requested find my iphone to lock it in lost mode wouldn’t it have bricked when they turned it on?

Yes.
It was turned on for a moment at around 5:15am, the following morning.
It was a street corner about 4 miles from my house. (I searched the bushes near there, to no avail)
I assume they saw the note on the screen which read: “please return, $100 reward- no questions asked” & freaked out & turned it off again.
It is DEFINITELY bricked for them & useless- that doesn’t change the fact that I lost out on roughly $850 in resale value.
As I said- I wish there was a way I could have prevented it from being turned off, & located it immediately after it was taken.
Perhaps the way some computers can be turned on remotely? Or the option to enable some small amount of processing still active, even when phone is “off”- like location services only?

 

[JosephAW]

Was that a Bungie Marathon logo I just saw?

 

[ugcop]

Must have been a “Russian” cab driver.

 

[fairuz]

Man, you’ve really got to have some dedication to figure out something like that. To have each item, in that specific sequence.... jeez.

If you want your mind blown even more, check out the video game speedruns that exploit glitches in old games. Especially Super Mario 64, Donkey Kong 64, and Ocarina of Time.

 

[mentaluproar]

And this is why I completely turned off Siri. These breaches always require Siri.

I notice that too. Does Siri just not have any restrictions put on her? I would expect she would only have access to certain things in certain scenarios. But this exploit uses accessibility features too. I'm not sure how you would secure those.
It looks to me like the way iOS handles elements that can be interacted with is very sloppy and easy to fool. If that's the case, it would take major work to overhaul that, and much less to patch around each individual security issue.

 

[fredrik9]

I notice that too. Does Siri just not have any restrictions put on her? I would expect she would only have access to certain things in certain scenarios. But this exploit uses accessibility features too. I'm not sure how you would secure those.
It looks to me like the way iOS handles elements that can be interacted with is very sloppy and easy to fool. If that's the case, it would take major work to overhaul that, and much less to patch around each individual security issue.

Well Siri does have loads of restrictions. That's why Siri almost always says: "You have to unlock your iPhone first". However, this bug takes advantage of the accessibility setting VoiceOver which is interesting because, really, one would think that it is not necessary to enable VoiceOver from the lock screen. Apple should issue an update where enabling VoiceOver requires an unlocked device. Issue fixed.

 

[Kabeyun]

To avoid unlocking phone with fingerprint.

Yes, but how can gently tapping the home button, which is now a capacitative sensor instead of a depressable button, with a plastic pen cap turn on an iPhone?

 

[Shoju]

Up, up, down, down, left, right, A, B, A makes the headphone jack reappear.

While up, down, up, down, left, right, left, right, A, B, A, B makes it invincible to scratches and gives it 99 extra lives... (scnr)

 

[Bstephens]

Yeah. The last issue is powering the phone off.
Sadly, I’m speaking from experience. =/
I didn’t have insurance on my iPhone X b/c I thought nobody would be stupid enough to steal an unusable phone.
I left it at a side smoking area at my work (300+ employees). I realized it about 5 minutes later & returned... it wasn’t there so I called it.
It had already been shut off and I ended up having to pay off the remaining $650 I owed on it, so I can order a XR... but without the ability to sell it & recoup the cost of a new phone.
Needless to say- that stung!
I wish there was a preventative measure for this type of instance.

On the s8 you have to punch in the code to shut it down. Why can’t iOS do that?

 

[chrono1081]

Well I guess it’s more complicated than the no-password root exploit that surfaced recently, but still... I expect better than this Apple.

This kind of thing is incredibly difficult to find. All software has bugs, all of it. It's unrealistic to expect any company to find every single obscure bug out there.

 

[podycust]

isn't non starter as you need to know the phone number to call the iPhone?

 

[robsall]

Yeah. The last issue is powering the phone off.
Sadly, I’m speaking from experience. =/
I didn’t have insurance on my iPhone X b/c I thought nobody would be stupid enough to steal an unusable phone.
I left it at a side smoking area at my work (300+ employees). I realized it about 5 minutes later & returned... it wasn’t there so I called it.
It had already been shut off and I ended up having to pay off the remaining $650 I owed on it, so I can order a XR... but without the ability to sell it & recoup the cost of a new phone.
Needless to say- that stung!
I wish there was a preventative measure for this type of instance.

I've posted this as suggestion on Apple's site, twitter etc in the past. That the UX needs to require authentication to power off the phone - this would solve the problem and certainly wouldn't be difficult to implement.

 

[Justanotherfanboy]

I've posted this as suggestion on Apple's site, twitter etc in the past. That the UX needs to require authentication to power off the phone - this would solve the problem and certainly wouldn't be difficult to implement.

The only thing I can think is that they want a way to “force restart/force shutdown” when the phone becomes non-responsive from a crash- rather than the user having to wait for the unit to power down.

I’m leaning towards the idea either a “remote power on” feature, from iCloud- that would still require authentication on the device... or maybe they could come up with a third power state option between on & off, similar to the sleep/hibernate options on a laptop- where a manual/emergency power down would still leave a single background process running... location services providing location to Find my iPhone.

 

[fredrik9]

I've posted this as suggestion on Apple's site, twitter etc in the past. That the UX needs to require authentication to power off the phone - this would solve the problem and certainly wouldn't be difficult to implement.

Problem is, shutting down the device ia not the last issue it's the second to last. The last one is the SIM tray. With a simple needle, it can be ejected and then Find My iPhone is inaccessible.

 

[I7guy]

Problem is, shutting down the device ia not the last issue it's the second to last. The last one is the SIM tray. With a simple needle, it can be ejected and then Find My iPhone is inaccessible.

Even so the phone without sim is only good for parts, unless the owner never (foolishly) set a password and then all bets are off.

 

[fredrik9]

Even so the phone without sim is only good for parts, unless the owner never (foolishly) set a password and then all bets are off.

True the phone would be a brick wihout the passcode and if "Erase phone after 10 failed passcode attempts" your data will be erased regardless of Find My iPhone. And after it has been deleted, Activation Lock kicks in and suddenly the thief would need to put in your Apple ID to even use the phone again.