Even with the latest iOS 12 update, your iPhone’s lockscreen is unsafe

Once again, a way of bypassing the iPhone’s passcode lock to expose users’ photos and contacts has been discovered.

AWS Builder Community Hub

Jose Rodriguez, who has uncovered vulnerabilities in iOS’s lock screen security on a number of occasions in the past, has produced a video demonstrating an (admittedly convoluted) way of accessing information on locked iOS devices that really should be out of bounds.

In a Spanish-language YouTube video published last week, Rodriguez revealed how it is possible for an attacker who has physical access to an iPhone running iOS 12 to partially unlock its contents, provided that Siri is enabled, and Face ID is either disabled or physically covered.

The complex, 37-step procedure exploits Siri and iOS’s VoiceOver accessibility feature to bypass a locked iPhone’s passcode check.

It did not take long for an English-speaking YouTuber to produce a video demonstrating the same technique on the iPhone XS Max, and crediting Rodriguez for the discovery.

Over the years there have been an embarrassing number of passcode bypass flaws found in iOS. It’s clear that, despite all of the incidents, Apple still hasn’t managed to properly secure its devices from attacks like this.

Watching the video, it’s clear that it’s quite a parlarver to go through the process of bypassing somebody’s passcode lock – but if you were determined enough (perhaps you wanted to spy on your suspicious partner’s activities?) you may well be prepared to go through with it.

Locked should mean really locked, and yet time and time again bypasses have been found which have shown that Apple’s security is not as tight as it should be.

If you worry that your supposedly locked iPhone might be vulnerable to future flaws then my advice is that you can increase your security by permanently disabling Siri from the lock screen.

To do that, go to Settings / Touch ID & Passcode, scroll down to the “Allow access when locked” section and ensure that Siri is disabled.

Yes, that might make your phone slightly less convenient. But security matters, right?

*** This is a Security Bloggers Network syndicated blog from HOTforSecurity authored by Graham Cluley. Read the original post at: