The new Apple iPhone 11 and iPhone 11 Pro are available for pre-order now. Not only do the latest iPhones come complete with the all-new iOS 13 operating system, but there’s an extra surprise right out of the box. Unfortunately, it’s not a pleasant one: the iPhone 11 and 11 Pro will ship with a confirmed security vulnerability in iOS 13 that could allow an attacker to access all stored contact information.
What is the iOS 13 lock screen bypass vulnerability?
Security researcher Jose Rodriguez has revealed how it is possible to bypass lock screen protection, and access contact information from the target iPhone 11.
In a September 13 tweet, Rodriguez posted a link to a YouTube video with the message “With No Enter the Passcode you can See Contacts info. iOS 13 Feature. Read description please. Will Apple change this feature before the release of iOS 13?”
You can watch that video of the exploit in action here.
How serious is this security issue?
Any security issue has to be taken seriously, but not all exploits are equal. The first thing to be said about this one is that it’s far from straightforward an attack methodology and requires the attacker to have physical access to the target iPhone.
For most people, most of the time, that means it’s not going to be something to worry about unduly. What’s more, once the attacker has their hands on your iPhone 11 (or any iPhone running iOS 13 for that matter) it still requires a call or FaceTime session from another phone and a relatively complex series of responses. It isn’t an attack that can be carried out in a few seconds if you’ve left your iPhone on the table while popping to the loo!
What does the iPhone 11 security exploit involve?
As Apple Insider reports: ” Once the call is placed, the call recipient must opt to respond with a custom message rather than answer the call.” But the complexity of the exploit doesn’t stop there as VoiceOver using Siri has to be turned on and off again from the message screen. “ Following the toggling of VoiceOver, the user can add to contact field, which allows you to see the contact information of any contact in the phone,” Apple Insider explains.
How can you mitigate against this iOS 13 lock screen exploit?
Apart from the obvious, keeping hold of your iPhone 11, there is another exploit mitigation method according to The Register. This involves “disabling ‘reply with message’ in your iDevice’s Face ID & Passcode settings,” The Register reports, “under the ‘allow access when locked’ section. This feature is, of course, enabled by default in iOS 13.
What is the Apple response?
I have approached Apple for a statement and will update this article if and when one is received. However, The Register and other sources suggest that the lock screen issue will be fixed in the iOS 13.1 update which is due to be released September 30. However, that does mean that iOS 13 as released September 19 and running on the iPhone 11 and iPhone 11 Pro released September 20 will still be vulnerable to this somewhat convoluted attack mode.
0 Comments