The Hacker News reported that iOS 13 will ship out containing a vulnerability that is known to Apple. The flaw allows anyone with access to your phone to bypass the lockscreen gaining access to some sensitive information.
The Hacker News spoke with Jose Rodriguez, the security researcher who discovered this flaw. He said it allowed him to access the full list of Contacts on his iPhone, and all information related to each contact.
Rodriguez, says he discovered the flaw in iOS 13 beta, and reported it to Apple on July 17, however, Apple, who recently attacked Google for revealing several security flaws, saying “iOS security is unmatched because we take end-to-end responsibility for the security”, has failed to correct the bug.
According to Rodriguez the bypass still works on the Gold Master version of iOS 13, that will be rolling out to everyone on September 19. Well done Apple, the users of iOS should now feel great confidence that your security is unmatched.
The bug allows anyone with physical access to the iPhone to access the full list of stored Contacts, and the detailed information for each including names, phone numbers, and emails, using nothing more than a FaceTime call. This short video shows just how easy this vulnerability is to execute.
This flaw as demonstrated by the above video doesn’t require developer knowledge or special hardware. Average users, could quite easily leverage this vulnerability. While it’s very clear Apple shouldn’t be bragging about iOS security, maybe the iPhone maker could have saved ICE the 35 million they paid to Cellebrite for tools to hack into phones.
What’s more, this latest lockscreen bypass hack is similar to one Rodriguez found last year in iOS 12.1 that used the iPhone’s built-in VoiceOver feature. So not only did Apple, not fix the problem, they have nearly repeated an issue and ignored someone from whom warnings should carry real gravitas.
H/t The Hacker News Header Image by amendch