Apple is set to release iOS 13 next week. The latest version of the operating system will come with several new features and possibly with an exploit as well. This exploit, the iOS 13 lock screen bypass, could allow anyone to bypass the lock screen and access the contacts saved on the device.
What is the iOS 13 lock screen bypass?
Security researcher Jose Rodriguez said he informed Apple about the iOS 13 lock screen bypass exploit on July 17. However, he claims the exploit is still present in the Gold Master (GM) version of iOS 13, The Verge reports. It is largely believed that the GM version will be released publicly as iOS 13 on Sept. 19.
What makes the iOS 13 lock screen bypass frightening is that it is easy to attain. Rodriguez explained the methodology in a YouTube video. The exploit requires a FaceTime call and then opting to respond with a text message. Thereafter, Siri can be used to toggle the voiceover feature, which then allows the hacker to get access to the contact list without ever needing to unlock the device.
According to the researcher, the exploit would allow anyone to access the contact information, including the email addresses, address information, secondary phone numbers and more. However, to carry out the exploit, the hacker must be in possession of the victim’s device and call it from another number.
The Verge tested the exploit on an iPhone X and confirmed its existence on the Gold Master (GM) version of iOS 13. However, the exploit does not allow access to the person’s photographs. Apple Insider has also been able to replicate the exploit.
Why is the exploit not yet fixed?
The exploit is fixed in iOS 13.1, the security researcher says. iOS 13.1 is scheduled to roll out publicly on Sept. 30. Apple may fix the exploit in iOS 13 as well, considering its release is still a week away.
Even if the exploit is not fixed in iOS 13, don’t worry because you can easily keep hackers from benefiting from it. All you have to is to disable the “reply with message” option in the iDevice’s Face ID & Passcode settings. This feature is enabled by default.
One reason Apple might not have addressed the iOS 13 lock screen bypass exploit is because information-disclosure bugs are usually considered low-risk security flaws. These are not on par with vulnerabilities that allow hackers to access devices remotely. Nevertheless, it is still an exploit that should be fixed.
According to Rodriguez, when he first reported the bug, Apple was not too keen because finding an exploit in the beta build does not qualify for bug rewards. Rodriguez says the company initially agreed to give him a gift for reporting the passcode bypass.
“I reported the security problem and then Apple retracted, apologized and told me that it was not allowed to thank by giving gifts for security reports during beta period,” the security researcher told The Register.
Not a new issue
Rodriguez is a known name in the security field as he previously unearthed a similar exploit in iOS 12.1 last year. However, at the time, the flaw was discovered a few days after the release of iOS 12.1.
Also at the Black Hat Conference 2019, researchers discovered a way to bypass Face ID using modified glasses and an unconscious owner. Although the current exploit does not include knocking out the owner, it still requires the hacker to get hold of the iPhone for a few minutes at least.
The lock screen bypass bug is not a new issue with iOS. A similar bug in iOS 6.1 (2013) allowed hackers to access contact information, phone records and photos. Similar issues were also reported with iOS 7, iOS 8.1 and most recently, iOS 12.1.
Apple is planning to release iOS 13 on Sept. 19, a day before the iPhone 11, iPhone 11 Pro and iPhone 11 Pro Max hit stores. The devices that will support iOS 13 are the iPhone XS, iPhone XS Max, iPhone XR, iPhone X, iPhone 8, iPhone 8 Plus, iPhone 7, iPhone 7 Plus, iPhone 6S, iPhone 6S Plus, iPhone SE and iPod Touch (7th generation).
iOS 13 will make the iPhones faster, more secure and smarter. The new features included in iOS 13 include new photo-editing tools, a dedicated dark mode, gesture-based QuickPath keyboard and a tool to block unknown callers. Apple is also adding new Maps tools, the ability to customize Memoji avatars and security features like Sign In with Apple.