After introducing its proprietary facial recognition technology in its previous generation iPhone X, Apple still touts security as a flagship feature in the iPhone XS series. Unfortunately, the latest version of iOS 12 has reportedly given way to another ‘passcode bypass’, making it possible to access the photos and contacts of a device without submitting a password.
Security researcher Jose Rodriguez showcased the workaround on his YouTube channel, stating that while he is using an iPhone XS Max to perform the trick, any device running iOS 12, and the iOS 12.1 beta is at risk. Fortunately, it seems as though the technique doesn’t work with Face ID enabled, and takes quite a bit of time and perfection to execute.
The method begins by prompting Apple’s voice assistant, Siri, to enable Voiceover. A second device is needed to make a call to the victim handset. The attacker then needs to open the messages menu on the original device while it's calling, before sending a text from the second smartphone. Although a blank white screen is displayed, the perpetrator is then able to navigate the underlying menu by using Voiceover to know what they're accessing.
Those unwilling to utilise Apple’s Face ID are in luck, as there is a simple setting that will prevent this circumvention from working. Simply revoke Siri’s lock screen access by going into the device’s Settings and navigating to Face ID & Passcode, notes Naked Security.
This isn’t the first time that Apple has seen its security bested, or a passcode bypass enacted, however this is distinctly more complicated than previous flaws. Apple has yet to address the matter, but it’s unlikely to exist for too much longer.
KitGuru Says: While it’s not ideal for a £1000 smartphone, it doesn’t seem like there’s anything to truly worry about with this security flaw. It’s still worth patching out in a timely manner, particularly those carrying sensitive data.