1(630)802-8605 Ravi.das@bn-inc.net

While some of you might be relishing your new iPhones that just came out, there is word now of a new Security Vulnerability from within the iOS itself.  The affected version is iOS 12, and the flaw exists with the passcode that you set up and create when you first get your iPhone.

This particular vulnerability could allow a Cyber attacker to access photos and your contact address book on a locked iPhone. The affected models the iPhone models that come with the Face ID functionality. However, to exploit this flaw the Cyber attacker must have physical access to the iPhone.

The discoverer of this bug is Jose Rodriguez, whom is actually a postal clerk that lives in Spain. He claims to be a self-taught iOS expert, and has actually demonstrated how this flaw can be flaw can be further exploited by a Cyber attacker on You Tube.  It is actually a complex process, as there are 36 steps that are involved.  He has also claimed that this vulnerability can be taken advantage of on other iPhone modes, even including the iPhone XS.

Here is a summary of how this hack can actually happen:

*The Voiceover functionality is activated by using Siri.  From, there the Cyber attacker can then call the victim iPhone from a different device. When the call appears on the screen, the Cyber attacker then taps the “Message” button. This creates a custom text message.

*Once this specific text message has been accessed, the Cyber attacker then clicks on the “+” symbol, which gives the appearance of adding another contact. In turn, another Smartphone is then used to call the soon to be victimized iPhone, which then triggers a notification.

*After the second has been accomplished, the Cyber attacker then then needs to double tap the screen on the victim iPhone, in an effort to cause a “conflict” in the iOS user interface.

*This conflict then causes the victim iPhone’s screen to go blank, in which Siri is reactivated and quickly deactivated.  This in turn allows the Cyber attacker to access the dialed and received phone number and contacts, as well as any associated metadata.

Once this flaw has been completely exploited by the Cyber attacker, the following is also possible:

*The entire address book can be accessed;

*Perform a 3D touch gesture on a contact, adding such functionalities as:

  • Call;
  • Message;
  • Add to Existing Contact;
  • Create New Contact.

Jose Rodriguez stated that a second Smartphone is needed in order to create the bypass, as just described in the steps above.  He also noted that it is possible to retrieve photos by enabling the VoiceOver functionality, and from there, swiping down to the “Camera Roll” option.

He has even ventured so far to visually demonstrate as to how all of this can be done.  Here are the You Tube links that you can download and watch:

https://www.youtube.com/watch?v=X2yQS1VzmZ0&feature=youtu.be

https://www.youtube.com/watch?v=fZh4cM3R0qU&feature=youtu.be

My thoughts on this?

Although I am far from being an Apple expert, I have worked with their tools all the way back since 1999, starting out with the Mac Classic.  For quite a number of years after that, I stopped using their tools, and instead went over to Windows.  I now use their technology to a certain degree, as I have an iPhone version 5.  Granted it is an older model, but hey, it does what it needs to.

It seems like to me that in the last year or so, there have been more Security related flaws with Apple products and their iOS than ever before.  I don’t why this is the case, but other Cyber security researchers are also noticing the same trend as well.

In response to this, Apple about two years ago, launched its own type of Bug Bounty program in which invited hackers were asked to break into the iOS, and try to discover any unseen holes or vulnerabilities.  This program has been luke warm to reception, while the payout is great, it takes Apple forever to issue the money.

In fact, in a past blog I wrote about this, there are many Cyber security firms who quietly conduct their own research onto iOS flaws, but for some reason or another again, they never go reported.  It should be noted that this vulnerability on which I wrote upon today actually even exists in other iPhone variant models.  It seems to be that the Virtual Personal Assistant, Siri, is at the crux of most these weaknesses.

But when in comparison to the Android OS, the iOS still remains relatively stable and secure overall.  Just make sure that you keep downloading and applying the regular firmware and software updates with the “Automatic Updates” feature on your iPhone.