Apple’s iOS security team must be starting to feel as if they’re being besieged by security sleuth José Rodríguez.
In his latest YouTube proof-of-concept, the Spaniard demonstrates how an attacker with physical access to an Apple device running iOS 12.0.1 (including the latest X and XS models) can gain access to photos stored on it.
The bypass needs 13 steps and requires good timing but at the end of the process, photos can be extracted by selecting and sending them to any number.
Embarrassingly, Apple released iOS 12.0.1 last week to address a range of issues that had cropped up with iOS 12, including two separate lock screen bypass flaws publicised by Rodríguez in late September.
Admittedly, one of these was more serious because it allowed access to a device’s contacts, emails, telephone numbers, and photos, but at 37 steps it was also a lot trickier to pull off than his latest compromise.
The root cause of the issue is the same in all of these – namely using Siri to activate VoiceOver to perform certain tasks without having to unlock the phone.
VoiceOver is a vision accessibility feature that appeared in iPhone OS 3 (as it was then) in 2009.
While it’s true that researchers are always going to find unusual flaws from time-to-time, that one researcher has managed to uncover three in under a month is pretty special.
The annoying thing for Apple is that one of iOS 12’s biggest draws when it launched in mid-September was supposed to be the way it tightened up security.
Apple will no doubt add the latest bypass to its fix list for the iOS 12.1 update later this month but until then mitigating the problem can be achieved by disabling Siri’s lock screen access: go to Settings → Siri & Search and turn off Allow Siri when locked.
Click on the tweet below to see what the relevant settings page looks like (6-second video):
Purists might conclude that perhaps Siri and the lock screen don’t work well because they are trying to do two incompatible things – lock the screen for security reasons while allowing this to be bypassed with voice commands.
Will Apple ever resolve the trade-off this involves? Apple’s iOS users must be starting to wonder.