Jose Rodriguez, a Spanish security researcher, contacted The Hacker News and confirmed that he discovered an iPhone passcode bypass bug in the latest version of its iOS mobile operating system, iOS 12.1, released by Apple today.
To demonstrate the bug, Rodriguez shared a video with The Hacker News, as shown below, describing how the new iPhone hack works, which is relatively simple to perform than his previous passcode bypass findings.
Instead, the issue resides in a new feature, called Group FaceTime, introduced by Apple with iOS 12.1, which makes it easy for users to video chat with more people than ever before—maximum 32 people.
How Does the New iPhone Passcode Bypass Attack Work?
Unlike his previous passcode bypass hacks, the new method works even without having Siri or VoiceOver screen reader feature enabled on a target iPhone, and is trivial to execute.
- Call the target iPhone from any other iPhone (if you don't know the target's phone number, you can ask Siri "who I am," or ask Siri to make a call to your phone number digit by digit), or use Siri to call on your own iPhone.
- As soon as the call connects, initiate the "Facetime" video call from the same screen.
- Now go to the bottom right menu and select "Add Person."
- Press the plus icon (+) to access the complete contact list of the targeted iPhone, and by doing 3D Touch on each contact, you can see more information.
"In a passcode-locked iPhone with latest iOS released today Tuesday, you receive a phone call, or you ask Siri make a phone call (can be digit by digit), and, by changing the call to FaceTime you can access to the contact list while adding more people to the Group FaceTime, and by doing 3D Touch on each contact you can see more contact information," Rodriguez told The Hacker News.Also, it should be noted that since the attack utilizes Apple's Facetime, the hack would only work if the devices involved in the process are iPhones.
The new passcode bypass method seems to work on all current iPhone models, including iPhone X and XS devices, running the latest version of the Apple mobile operating system, i.e., iOS 12.1.
Since there's no workaround to temporarily fix the issue, users can just wait for Apple to issue a software update to address the new iPhone passcode bypass bug as soon as possible.
Rodriguez has previously discovered a series of iPhone passcode bypass hacks. Around two weeks ago, he found an iPhone bypass hack that works in 12.0.1 and takes advantage of Siri and VoiceOver screen reader to get through your phone's defenses, allowing attackers to access photos and contacts on a locked iPhone.
Rodriguez discovered a similar bug in iOS 12 in late last month that also takes advantage of Siri and VoiceOver screen reader, and allows attackers with physical access to your iPhone to access your contacts and photos.