E-Threats Mobile & Gadgets

Even with the latest iOS 12 update, your iPhone’s lockscreen is unsafe

Once again, a way of bypassing the iPhone’s passcode lock to expose users’ photos and contacts has been discovered.

Jose Rodriguez, who has uncovered vulnerabilities in iOS’s lock screen security on a number of occasions in the past, has produced a video demonstrating an (admittedly convoluted) way of accessing information on locked iOS devices that really should be out of bounds.

In a Spanish-language YouTube video published last week, Rodriguez revealed how it is possible for an attacker who has physical access to an iPhone running iOS 12 to partially unlock its contents, provided that Siri is enabled, and Face ID is either disabled or physically covered.

The complex, 37-step procedure exploits Siri and iOS’s VoiceOver accessibility feature to bypass a locked iPhone’s passcode check.

It did not take long for an English-speaking YouTuber to produce a video demonstrating the same technique on the iPhone XS Max, and crediting Rodriguez for the discovery.

Over the years there have been an embarrassing number of passcode bypass flaws found in iOS. It’s clear that, despite all of the incidents, Apple still hasn’t managed to properly secure its devices from attacks like this.

Watching the video, it’s clear that it’s quite a parlarver to go through the process of bypassing somebody’s passcode lock – but if you were determined enough (perhaps you wanted to spy on your suspicious partner’s activities?) you may well be prepared to go through with it.

Locked should mean really locked, and yet time and time again bypasses have been found which have shown that Apple’s security is not as tight as it should be.

If you worry that your supposedly locked iPhone might be vulnerable to future flaws then my advice is that you can increase your security by permanently disabling Siri from the lock screen.

To do that, go to Settings / Touch ID & Passcode, scroll down to the “Allow access when locked” section and ensure that Siri is disabled.

Yes, that might make your phone slightly less convenient. But security matters, right?

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

Add Comment

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.