New iPhone Bug Gives Anyone Access To Your Photos

A security enthusiast who discovered a passcode bypass vulnerability in Apple's iOS 12 late last month has now dropped another passcode bypass bug that works on the latest iOS 12.0.1 that was released recently.

Jose Rodriguez, a Spanish amateur security researcher, discovered a bug in iOS 12 in late September that allows attackers with physical access to your iPhone to access your contacts and photos.

The bug was patched in iOS 12.0.1, but he now discovered a similar iPhone passcode bypass hack that works in 12.0.1 and is easier to execute than the bug Rodriguez discovered and reported two weeks ago.

The new hack allows anyone with physical access to your locked iPhone to access your photo album, select photos and send them to anyone using Apple Messages.

Since the new hack requires much less effort than the previous one, it leaves any iPhone user vulnerable to a skeptic or distrustful partner, curious college, friend or roommate who could access your iPhone's photo album and grab your private photos.

Here's How to Bypass iPhone Lock Screen to Access Photos

The new passcode bypass requires about 10 steps to get executed, as follows:

• Call the target iPhone from any other phone (if you don't know the target's phone number, you can ask Siri "who I am," or ask Siri to make a call to your phone number digit by digit).

• Don't answer the call by picking it up, instead of tap on "Messages" (by default in iOS comes on) and tap on "Custom" to reply via text message.

• Type any word in the text message box.

• Ask Siri to enable VoiceOver, a service meant for sight-impaired users.

• Tap on the camera icon.

• Invoke Siri with the iPhone's home button and at the same time double-tap the phone's screen (it does not work then repeat many times).

• When the screen comes black, swipe your finger on the screen up to the top left corner where VoiceOver will read aloud what you have selected. Keep swiping until VoiceOver reads "Photo Library."

• Double tap on the screen to select Photo Library. This will take you back to the message screen, but you'll see a blank space in the place of the keyboard. It is actually an invisible Photo Library.

• Now swipe your finger up to VoiceOver read aloud the characteristics of each photo.

• Double-tap on a photo will display it while adding the picture to the text box, which you can then send to any number.

The new passcode bypass method works on all current iPhone models, including iPhone X and XS devices, running the latest version of the Apple mobile operating system, i.e., iOS 12 to 12.0.1.

Until Apple comes up with a security patch, you can temporarily fix the issue by disabling Siri from the lockscreen.

Here's how to disable Siri: Go to the Settings ? Face ID & Passcode (Touch ID & Passcode on iPhones with Touch ID) and Disable Siri toggle under "Allow access when locked."

Of course, disabling Siri would cripple your iOS 12 experience, but would prevent attackers from abusing the feature and breaking into your iPhone.

Meanwhile, just wait for Apple to issue a software update to address the new iPhone passcode bypass bug as soon as possible. 

The Hacker News:

You Might Also Read:

Smartphone Password Vulnerability Discovered

« US Police Will Use Smart Patrolling
Almost Half Of Cyber-Attacks Are Directed At SMEs »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Softtek

Softtek

Softtek provides comprehensive software Quality Assurance and Testing that identifies the correctness, completeness, and quality level of software products.

Attivo Networks

Attivo Networks

Attivo Networks is an award winning provider of deception for in-network threat detection, attack forensic analysis, and continuous threat response.

SecureDevice

SecureDevice

SecureDevice is a Danish IT Security company.

Spherical Defense

Spherical Defense

Spherical Defense offers an alternative approach to WAFs and first generation API security tools.

Austrian Trust Circle

Austrian Trust Circle

Austrian Trust Circle is an initiative of CERT.at and the Austrian Federal Chancellery and consists of Security Information Exchanges in the areas of the strategic information infrastructure.

ReFoMa

ReFoMa

ReFoMa is a consultancy and advisory company with a focus on information Security.

Cynterra

Cynterra

Cynterra is a next generation cloud cyber security and data analytical service provider offering cloud security compliance, data protection, visibility and threat protection services.

TechRate

TechRate

Techrate is an analytics agency focused on blockchain technology and engineering. Or expertise includes security and technical audits of projects.

UK Cyber Security Council (UKCSC)

UK Cyber Security Council (UKCSC)

The role of The UK Cyber Security Council is to champion the cybersecurity profession across the UK, provide representation for the industry, accelerate awareness and promote excellence.

BastionZero

BastionZero

BastionZero is leveraging cryptography to reimagine the tools used to manage remote access to servers, containers, clusters, applications and databases across cloud and on-prem environments.

Intelligent CloudCare

Intelligent CloudCare

Intelligent CloudCare, a division of IPS, is a full IT Services provider serving the needs of SMBs in the metropolitan New York City region.

CyberXposure

CyberXposure

CyberXposure has been built by a team comprising of Cyber Security Professionals and SAAS experts in data backup, disaster recovery and cyber-security.

Allstate Identity Protection

Allstate Identity Protection

Allstate make it easy to provide complete identity protection, so everyone can live more confidently online.

Geobridge

Geobridge

Geobridge was one of the first information security solutions providers to support cryptography and payment applications for payment processors, financial institutions and retail organizations.

Wired Assurance

Wired Assurance

Wired Assurance is a testing and assurance company, specialized in software applications and blockchain smart contracts.

Lenze

Lenze

Lenze are an experienced partner for automation systems, digitalization and cyber security.