Complex iOS 13 exploit allows viewing of contacts without unlocking iPhone
A new exploit shows how someone could bypass an iPhone's passcode, FaceID, or TouchID requirements to view the contact information of an iPhone running iOS 13.
A video uploaded to YouTube by Jose Rodriguez illustrates using a VoiceOver and Siri exploit can give unrestricted access to view contacts stored on an iPhone.
Rodriguez shows how the exploit works, which involves calling or FaceTiming the target iPhone. Once the call is placed, the call recipient must opt to respond with a custom message rather than answer the call. From the message screen, the user must turn on VoiceOver using Siri and then turn it back off. Following the toggling of VoiceOver, the user can add to contact field, which allows you to see the contact information of any contact in the phone.
AppleInsider was able to get the vector to work. There is some timing element on enabling and disabling VoiceOver, however, that varies based on unknown factors.
Relatively little is at stake with this exploit. Beyond the inherent danger of an assailant having your iPhone, this method only allows someone to view the contacts within the target iPhone, provided that they have physical access to the target phone and can complete the VoiceOver exploit.
Rodriguez had unearthed bypasses previously. In 2018, Rodriguez discovered another complex exploit in iOS 12 that allowed a user to use VoiceOver to access an iPhone's photos and contacts, not dissimilar to this one in iO 13.
Those looking to protect themselves from the exploit can block it entirely by disabling Siri while the phone is locked in the Passcode preferences menu.
Rodriguez reported the flaw to Apple earlier in the iOS 13 beta process.