With the release of iOS 12.1 for Apple’s mobile devices came the exciting (and much-desired) ability to have group video calls with their built in app, FaceTime. However, this new addition brought about an exploit that can allow any attacker to easily bypass a device’s lock screen password and view all the contact information stored on it. It was discovered by Jose Rodriguez (Twitter: @VBarraquito), a Spanish security researcher who is well-known for discovering a variety of bypass methods, including one that previously allowed information to be viewed through the photo sharing feature on the lock screen camera.
The exploit is fairly simple to execute once an attacker has the target device in their possession, and if it is set up with certain features. Firstly, the phone number of the target device is needed, which is fairly simple if it has Siri enabled. With a different device of their own, they just need to:
- Call the target device.
- Tap the FaceTime icon on the call screen to have it routed through there instead.
- Go to add contacts once the call begins.
- If the target device happens to have 3D touch enabled, a heavy press on the screen on any contact name will bring up the full list of their contact information.
As of right now, it is not yet known if Apple is working on an update to patch the exploit, given how recent the update itself is. With how easy it is for the average person to use, it should hopefully be high on their priority list. Many users who tend to multitask more on their phones, such as those that work for large companies, will tend to have 3D touch and Siri enabled for their ease of usage, thus making them more likely to fall victim to the exploit, especially given how often they may be in public spaces and could potentially have their device stolen.
★ Post by Allan Sun