Mr. Lockscreen Bypass has done it again.
Spanish security sleuth José Rodríguez on Friday posted a YouTube video of his most recent iOS lock-screen bypass: one that allows an iPhone to be tricked into showing its address book without the need to unlock the screen.
The researcher told The Register that he found this bypass in July, in what was then the beta of iOS 13.
As the video shows, the bypass involves receiving a call and opting to respond with a text message, and then changing the “to” field of the message, which you can do via voice-over. The “to” field pulls up the phone’s contacts list, thus enabling randoms to paw through your contact list without needing to first unlock your phone.
This isn’t a terribly serious bug. To exploit it, snoops have to get their hands on a victim’s device, and then they need to call it from another phone.
It’s also reportedly pretty easy to prevent: as a reader tweeted after The Register posted its story, you just need to go to Face ID & Passcode settings > Allow access when locked and toggle off the Reply with Message option. That feature is reportedly enabled by default in iOS 13.
And yet, seemingly mitigated by toggling the attached option. Was not able to reproduce the vulnerability any longer after disabling this option on the iOS 13 GM build. Would love additional confirmation, though. pic.twitter.com/EbgC4w04et— Andrew Maxey (@andrewmaxey) September 13, 2019
Plus, the lockscreen workaround was found in a beta, which doesn’t really count as much as would a bug in a live product. That’s apparently why Apple reportedly reneged on its initial promise to pay Rodríguez the “gift” that he asked for.
According to the researcher, he wanted a $1 Apple Store card. He told the Register that he wanted it as a trophy. First Apple said yes, Rodríguez said, then it said no:
I contacted Apple asking for a gift in thanks for reporting a passcode bypass, Apple agreed to give me a gift.
I reported the security problem and then Apple retracted, apologized and told me that it was not allowed to thank by giving gifts for security reports during beta period.
OK… rules are rules… but… really? We’re talking about a serial lockscreen hacker, here. Doesn’t he deserve a little something?
Even if his latest isn’t terribly concerning from a security standpoint, his track record is kind of amazing. Here’s the timeline I put together of his successful exploits leading up to this one. If you know of others, let me know:
- Mid-October 2018: he comes up with a new iPhone iOS 12.0.1 lockscreen bypass that exposed your photos…
- As in, the iOS 12.0.1 that Apple had released a week prior, to address a range of issues that had cropped up with iOS 12, including two separate lock screen bypass flaws Rodríguez published in late September 2018. One of iOS 12’s biggest draws when it launched in mid-September was supposed to be the way it tightened up security. Ouch!
- He’d already built a reputation for finding other iOS lock screen bypasses too. In 2016, Rodríguez found a Siri bug that allowed someone to bypass the lockscreen and gain access to contacts and photos. And before that…
- In 2015, he found an earlier bug in Siri that made the lockscreen in iOS 9 unsafe: again, the bug allowed anyone to see your photos and contacts. But wait, there’s more:
- In 2013, he had found (yet again) a lockscreen bug in iOS 6.1.3 that let unauthorized people bypass the lockscreen on an iPhone 4 using nothing more than a paperclip.
The Register reports that as of Friday, Apple hadn’t addressed the latest vulnerability.
Granted, if you decide to make only some things available when an iPhone is locked, rather than enforcing a strict boundary, then problems like this are probably quite hard to stop. It certainly looks that way, when you eyeball the long list of bypasses Rodríguez has come up with, some within mere weeks of when Apple has tackled whatever bypass he came up with before the update.
But after all, under normal circumstances, everything on your phone is linked together for usability and convenience (phone, SMS, contacts, etc.), and movement between apps is supposed to be slick and easy.
Still and all, at this point, you wonder why Apple doesn’t just give Rodríguez the damn phone as part of their standard testing procedure.
C’mon Apple, just give him the phone! and the $1 coupon – framed so he can hang it on his wall!