New iPhone lock screen exploit reveals contact information without passcode

By Mike Wuerthele

A new exploit requiring precise timing in conjunction with physical access to a device that has Siri enabled on the lock screen has surfaced, giving attackers the ability to view contact information, including photos, and message logs.

First publicized by YouTube channel iDeviceHelp, attackers with access to the device must call the phone, and start to send a message. After that, assailants instruct Siri to turn on voice over.

For the next steps, timing is crucial. Attackers must double-tap the contact info bar, and hold the second tap on the bar, while immediately clicking on a keyboard which may or may not invoke in time for the exploit.

At this point, the attacker can type the first letter of a contact's name, and then tap info button next to the contact to get information on the contact. The phone remains locked during the entire attack.

AppleInsider was able to repeat the steps necessary to invoke the attack on an iPhone SE, an iPhone 6 Plus, and an iPhone 6S Plus, but not on an iPhone 7 or 7 Plus suspected because of slightly different keyboard invocation times. A different YouTube channel, EverythingApplePro, claims that the exploit is capable on any phone, going back to iOS 8.0.

The best way to prevent the attack method is to disable Siri while the phone is locked in the Touch ID & Passcode preferences, or prevent physical access to the device. The testers have reported the flaw to Apple.