APPLE MAY HARP ON about how secure iOS 12 is but a hacker has found a way to bypass the passcode on iPhones by exploiting Siri.
Security researcher Jose Rodriguez has showcased a workaround that allows access to an iPhone's contacts and photos without the need to tap in a password.
The techniques look a little fiddly but Rodriguez's videos (below) show it doesn't necessarily take a lot of technical nous.
The crux of the passcode bypass sits with the VoiceOver feature of Siri, which dictates what's going happening on the iPhone's display for people with visual impairments.
By activating Siri to command the VoiceOVer feature, Rodriguez could then use another phone to call the targeted iPhone and then open the messages menus that pop up when the iPhone receives a call, then a text is sent from the other phone to the iPhone.
That causes a blank screen to be displayed thanks to a user interface conflict when iOS is trying to show a notification. But thanks to the VoiceOver feature Rodriguez was able to navigate the underlying menu and gain access to the original message.
From there it's possible to access the contact lists to add new recipients to the message. And Rodriguez was able to access the iPhone's Camera Roll by activating VoiceOver and quickly swiping to the camera feature.
A similar technique was used by Rodriguez to bypass the passcode in order to create and share notes through Siri.
The passcode bypass works with iOS 12 and iOS 12.1 and Apple hasn't turned up with a patch yet. But it can be mitigated by using Face ID or by switching off the ability for Siri to enable VoiceOver.
And such a hack attack isn't exactly viable unless a hacker has direct access to an iPhone. But it's a vulnerability nevertheless, and it's likely Apple will update iOS 12 to patch over the flaw.
Still, if you're one of the people who decided to drop more than a grand on an iPhone XS was a good idea, you'd be a bit miffed to find it doesn't quite have the security Apple touts. µ
The week in Google in brief
Sega hedgehogging its bets
And not a purple duck in sight