Amber Neely
A new exploit shows how someone could bypass an iPhone's passcode, FaceID, or TouchID requirements to view the contact information of an iPhone running iOS 13.
A video uploaded to YouTube by Jose Rodriguez illustrates using a VoiceOver and Siri exploit can give unrestricted access to view contacts stored on an iPhone.
Rodriguez shows how the exploit works, which involves calling or FaceTiming the target iPhone. Once the call is placed, the call recipient must opt to respond with a custom message rather than answer the call. From the message screen, the user must turn on VoiceOver using Siri and then turn it back off. Following the toggling of VoiceOver, the user can add to contact field, which allows you to see the contact information of any contact in the phone.
AppleInsider was able to get the vector to work. There is some timing element on enabling and disabling VoiceOver, however, that varies based on unknown factors.
Relatively little is at stake with this exploit. Beyond the inherent danger of an assailant having your iPhone, this method only allows someone to view the contacts within the target iPhone, provided that they have physical access to the target phone and can complete the VoiceOver exploit.
Rodriguez had unearthed bypasses previously. In 2018, Rodriguez discovered another complex exploit in iOS 12 that allowed a user to use VoiceOver to access an iPhone's photos and contacts, not dissimilar to this one in iO 13.
Those looking to protect themselves from the exploit can block it entirely by disabling Siri while the phone is locked in the Passcode preferences menu.
Rodriguez reported the flaw to Apple earlier in the iOS 13 beta process.
Andrew Orr
William Gallagher
Christine McKee
AppleInsider Staff
11 Comments
The other way of unlocking a phone is by putting it in my pocket. I can't tell you the number of times I feel the 'warmth' of the phone in my pocket only to pull it {the phone} out and find it on the home screen or in some other app.
I don't think I'll be losing a whole lotta sleep over this one.
Demos like this are annoying to watch. It looks like he's uncertain about the next step to take.
Honestly, even if that contact info is displayed, what can they do with it? Can they email my entire contact list? No. Can they start sending spam? No. I fail to see what the risk is. While it would be nice for the info to not be accessible, it's no different than a digital version of an address book that people used to keep around their house all the time. Not really considered "sensitive" information, if you ask me.