Apple Lock

Just eight days before Apple plans to release iOS 13, a security researcher has disclosed a passcode bypass that allows you to view the contacts on a locked device.

A passcode bypass is a vulnerability that allows someone to access the content on a device even when that device is locked. On iOS devices, when a device is locked, users should not be able to view the device’s stored information such as contacts, pictures, messages, etc.

A new passcode bypass was publicly disclosed by security researcher Jose Rodriguez that uses a mixture of seemingly innocuous steps that when done together allow you to gain access to a devices contacts even when it is locked.

Based on the video, the steps to reproduce this bypass are:

  1. Reply to an incoming call with a custom message.
  2. Enable the VoiceOver feature.
  3. Disable the VoiceOver feature
  4. Add a new contact to custom message
  5. Click on the contacts image to open options menu and select “Add to existing contact”. 
  6. When the list of contacts appears, tap on the other contact to view its info.

To demonstrate this passcode bypass, Rodriguez created a YouTube video showing how easy it is to see a device’s contact information.

In the description of the video, Rodriguez explains that he contacted Apple about this vulnerability on July 17th, 2019 while iOS is still in beta. As of September 11th, when the vulnerability was publicly disclosed, Apple had still not fixed the bug.

With Apple planning on releasing iOS 13 on September 19th, it is unclear if this bug will be fixed in time.

Ths is not the first passcode bypass bug released by Rodriguez. In the past the researcher has found passcode bypasses versions in 12.0.1 and 12.1 of the iOS operating system.

Until a patch is released, the best way to protect your phone from bugs like this is to always have it in your possession and not leave it around for others to access.