Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

New iPhone lock screen exploit reveals contact information without passcode

A new exploit requiring precise timing in conjunction with physical access to a device that has Siri enabled on the lock screen has surfaced, giving attackers the ability to view contact information, including photos, and message logs.

First publicized by YouTube channel iDeviceHelp, attackers with access to the device must call the phone, and start to send a message. After that, assailants instruct Siri to turn on voice over.

For the next steps, timing is crucial. Attackers must double-tap the contact info bar, and hold the second tap on the bar, while immediately clicking on a keyboard which may or may not invoke in time for the exploit.

At this point, the attacker can type the first letter of a contact's name, and then tap info button next to the contact to get information on the contact. The phone remains locked during the entire attack.

AppleInsider was able to repeat the steps necessary to invoke the attack on an iPhone SE, an iPhone 6 Plus, and an iPhone 6S Plus, but not on an iPhone 7 or 7 Plus suspected because of slightly different keyboard invocation times. A different YouTube channel, EverythingApplePro, claims that the exploit is capable on any phone, going back to iOS 8.0.

The best way to prevent the attack method is to disable Siri while the phone is locked in the Touch ID & Passcode preferences, or prevent physical access to the device. The testers have reported the flaw to Apple.



11 Comments

🎅
boredumb 14 Years · 1418 comments

So???  A well-known Apple expert has recently explained, in these Fora, that Apple users don't really care about privacy anyway...
Right?

/s

🌟
ericthehalfbee 13 Years · 4489 comments

Not again. Who has the time to even figure these stupid things out? Do you just sit around all day for hours and hours trying ridiculous combinations hoping you're going to come up with one that allows you access to something?

🌟
foggyhill 10 Years · 4767 comments

So, they already have physical access to your phone and now can steal your cat photos ;-).

❄️
williamh 13 Years · 1048 comments

Not again. Who has the time to even figure these stupid things out? Do you just sit around all day for hours and hours trying ridiculous combinations hoping you're going to come up with one that allows you access to something?

Not my area of expertise, but I would guess that these things are discovered through fuzz testing or some other automated method.

🍪
Doodpants 8 Years · 57 comments

The more functionality that is available from the lock screen, the harder it is to ensure that there aren't any bugs that allow access to personal information. Apple has to make sure that each operation is aware of when the phone is locked vs. unlocked, and enforces appropriate limitations when locked. IMHO, the only things you should be able to do at the lock screen are 1) unlock the phone, and 2) call emergency services (911). I would also concede 3) take a photo/video, because sometimes you want to capture a moment that you might miss if you wasted time unlocking the phone. Adding more operations increases the chance of exploitable bugs.