Jose Rodriguez, a Spanish amateur cybersecurity specialist, has discovered a bug in iOS 12 that allows an attacker with physical access to a locked iPhone to access all of its photos.

Rodriguez has discovered that iPhone with iOS 12.0.1 is vulnerable to a passcode bypass attack, which is also quite easy to execute.

Anyone who knows about his discovery and has physical access to your locked iPhone can get full access to your photo album. He will also be able to pick pictures and send them to any other phone that uses Apple Messages.

People believe that this smartphone brand is extremely secure, but it is now emerging that all iPhone users are vulnerable to a distrustful partner, a curious colleague, an outrageous boss, because absolutely anyone can access your iPhone's photo album, look through the photos and can send them to whom he wishes.

How to bypass iPhone lock screen to access photos?

Jose Rodriguez made a video showing that the bug he discovered takes advantage of Siri and VoiceOver screen reader to bypass your phone protection:

Step by step

  • Call the attacked iPhone from any other phone.
  • Do not answer the call, instead of tap on "Messages" and tap on "Custom" to reply via text message.
  • Enter any word in the text message box.
  • Tell Siri to activate VoiceOver, a service meant for sight-impaired users.
  • Touch the camera icon.
  • Invoke Siri with the iPhone's "home" button while and at the same time double-tap the phone's screen. If it does not work, then repeat many times.
  • When the screen becomes black, swipe your finger on the screen up to the top left corner. VoiceOver will read aloud what you have chosen. Scroll until VoiceOver reads "Photo Library".
  • Double-tap on the screen to select "Photo Library". This will take you back to the message screen, but you'll see a blank space in the place of the keyboard - this is actually the invisible Photo Library.
  • Slide your finger up to read VoiceOver aloud the characteristics of each picture.
  • Double-tap on a photo will display it while adding the picture to the text box, which you can then send to any number.

If you think your files are safe, now is the time to tell you that the new passcode bypass method is successful against all current iPhone models, including the iPhone X and XS devices running the latest version of the Apple mobile operating system, i.e., iOS 12 to 12.0.1.

AMATAS cybersecurity experts could advise you just one thing until Apple release patch for this security bug but this will temporarily solve the problem. For the time being, the only way to achieve this is by disabling Siri from the lock screen.

How to disable Siri

Go to Settings → Face ID & Passcode (Touch ID & Passcode on iPhones with Touch ID) and Disable Siri toggle under "Allow access when locked"

Of course, deactivating Siri, you will not be able to use its functionality, but you will prevent anyone knowing this news from abusing this iPhone password bypass bug and getting the opportunity to access and send your private pictures to whom he wishes.

According to cybersecurity experts, it is not so critical the fact of this bug existence as much as its discoverer is a novice in the profession, and the bug is pretty easy to exploit. This once again proves that there is no absolute security guarantee in today's technological world. Therefore, everyone should take regular measures to ensure their own cyberspace protection and choose very carefully a trustful cybersecurity company.

Photo: The Hacker News