Apple has released fixes for a pair of vulnerabilities in iOS that could allow an attacker to bypass the lock screen passcode protection on iPhones in some circumstances.
The two weaknesses are related, but separate. They both require physical access to the device and both allow someone to take certain specific actions from the lock screen without entering the passcode or using the Touch ID sensor to authenticate. One of the bugs affects the voice over function in iOS and someone with access to the device could use some simple voice commands to Siri to access the pictures and contacts.
“A lock screen issue allowed access to photos and contacts on a locked device. This issue was addressed by restricting options offered on a locked device,” Apple’s advisory says.
The second vulnerability is related to the Quick Look feature in iOS that enables users to preview attachments and content in apps. Someone with physical access to the iPhone could use the bug to share content without authenticating.
“A lock screen issue allowed access to the share function on a locked device. This issue was addressed by restricting options offered on a locked device,” the advisory says.
It’s important to note that in order to trigger these bugs, an attacker would need to have physical access to a vulnerable device. Jose Rodriguez, the researcher who discovered the two vulnerabilities, said that his discoveries were simply the result of trial and error, messing around with his iPhone to see what happened when he tried various things.
“I try to activate all the levers, in all imaginable combinations, it's nothing more than that, like an ‘escape room’ game,” Rodriguez said.
“It's the closest thing to reality, I look like a child pounding a mini piano and suddenly the musical notes coincide and sounds the beautiful melody of Close Encounters of the Third Kind.”
The patches are included in iOS 12.01, which Apple released Monday. The company also released a large group of patches for iCloud for Windows. All of the vulnerabilities Apple fixed in that update are in its WebKit framework and include several flaws that could lead to arbitrary code execution.