Apple closed out the month of October with the release of several new products and a significant update to its mobile operating system, iOS, for compatible iPhones. The official iOS 12.1 update was released on October 30, but just hours after its release, a popular security boffin discovered a major security bug that allows a passcode-protected lock screen to be bypassed and gives the user or a potential trespasser full access to the phone’s contacts, according to a report from The Verge.
Apple’s 12.1 software update addressed a number of bugs found on the previous version of iOS, including the “beautygate” bug, which caused selfies taken on the iPhone to appear filtered, as well as a charging issue, which prevented some devices from charging via Lightning connection when the screen was inactive. Tech enthusiasts were relieved by the removal of the previously mentioned bugs, but it wasn’t long before another issue was identified.
Jose Rodriguez, a popular Spanish security researcher, took to his YouTube channel to post his discovery of the bypass vulnerability. Rodriguez showed off a demonstration on the newly released iOS 12.1 by initiating a FaceTime call and accessing Apple’s new group FaceTime feature to view contacts without needing to enter a passcode. The exploit grants full access to the iPhone’s contact list.
While connected to a call, Rodriguez taps the FaceTime option from the call menu screen, he then swipes up from the bottom of the screen to put the iPhone in airplane mode, before accessing the new “add person” feature. After tapping the plus icon, he shows how he is able to access phone numbers, email addresses, physical addresses, and other personal contact information that may be stored.
Many have called iOS 12 Apple’s best iteration of its mobile operating system to date, but it’s hard to overlook that the company may have dropped the ball in the security department. On September 26, Rodriguez found and posted about another passcode bypass that granted access to the contacts and photographs stored on the device.
The Verge reports that the tech company has a long history of lock screen bypass bugs. In 2013, there was a bug found in iOS 6.1, which allowed free access to call records, photos, and contacts stored on the device. iOS 7 brought a very similar security bypass, and security researchers were also able to find yet another lock screen bypass bug in the iOS 8.1 update a few years ago.
There is no denying the trillion-dollar company is doing an impressive job with their hardware, but it seems software lock screen bugs have remained a constant struggle over the years.
The most recent bug will likely be patched in a future update.