One of the most anticipated launchings by Apple users is iOS 13, the new version of their operating system; however, although it has not yet arrived for the general public, a pentesting specialist has already discovered a security flaw that allows access the contacts’ information stored on an iPhone.
Security researcher Jose Rodriguez has reported finding this flaw, which allows anyone to bypass the device’s lock screen and access all the details of the victim’s contacts. The expert reported the flaw to Apple last July, but claims it is still possible to exploit it in the iOS Gold Master version, scheduled for launching next September 19th.
Last year, the same pentesting expert reported a security vulnerability in any iPhone running iOS 12 lock screen and, apparently, the exploit for iOS 13 works very similarly. The exploit consists of starting a call using the Apple’s FaceTime app to then access Siri background voice feature to access the contact list.
Finally, using some voice commands it is possible to extract names, phone numbers, email addresses and other details about the target user’s contacts.
Some security firms and independent researchers also tested the attack, corroborating its functionality; although they point out that it is not possible to access other kinds of information, such as PDF files or images stored on the device. “The attack depends on physical access to the iPhone and actually takes some time, which increases its complexity,” say specialists from the specialized platform The Verge.
This is not the first time that an iPhone lock screen flaw is reported. According to pentesting specialists from the International Institute of Cyber Security (IICS), the first of these reports arrived in 2013, when an expert reported that a flaw in iOS 6.1 that allowed any user with physical access to the device to extract names, phone numbers and even contacts’ pics. Another iOS 7 vulnerability was later discovered that also provided access to an iPhone’s contact list. Other versions of the system (iOS 8.1, iOS 12.1) also filed similar security errors prior to their release.