iOS 12.1 lockscreen security flaw can expose your contacts list, here's how to protect yourself


Apple's software updates for the iPhone, iPad, and Apple Watch have been out for a couple of days, and so far, the rollout isn't exactly going smoothly. The company had to pull WatchOS 5.1 after receiving reports that the update bricked certain Apple Watch Series 4 units, and now, it appears that some issues have slipped into the latest version of iOS as well.

A lockscreen security flaw that is specific to iOS 12.1 has been discovered by Jose Rodriguez. On October 31, the YouTuber uploaded a video showing how lockscreen passwords on an iPhone can be bypassed in order to gain access to the owner's contact list via Siri. 

Asking the voice assistant to make a phonecall and then switching to FaceTime allows attackers to exploit the new group FaceTime feature into adding more people to the call. From there, the user's complete contact list is exposed, and malicious parties can even use 3D Touch in order to get more info on people on the list.

Keep in mind that this exploit requires the attacker to have physical access to your phone, so we recommend that you don't leave it unattended. Apple will most likely address the issue soon, but if you want an immediate fix, just disable the activation of Siri from your lock screen. This is done by going to Settings -> Siri & Search -> Access When Locked.

FEATURED VIDEO

15 Comments

1. notfair

Posts: 755; Member since: Jan 30, 2017

The most secure OS in the WORLD!

4. Peaceboy

Posts: 640; Member since: Oct 11, 2018

Haven’t heard about security in android and FBI filing against google to have backdoor. I guess that explain it.

7. AmashAziz

Posts: 2934; Member since: Jun 30, 2014

Most secure doesn't mean 100% secure....

13. sissy246

Posts: 7124; Member since: Mar 04, 2015

True Nothing is 100% safe.

9. Dr.Phil

Posts: 2458; Member since: Feb 14, 2011

And yet every Android not running the latest Pie is subject to a pretty major security flaw that would affect you even more since you don’t need physical access. https://bgr.com/2018/09/01/android-vulnerability-discovered/

15. RebelwithoutaClue unregistered

Have you even read the article? Apart from the information being not that important (mostly network data like MAC and DNS and such), it only works for apps installed on your phone. Since an app doesn't install itself, you do need physical access. Doesn't mean it isn't an issue, but it's not a biggie. Having said this, I don't consider this iOS flaw big either, since they will patch it soon anyway.

10. Trex95

Posts: 2383; Member since: Mar 03, 2013

2. worldpeace

Posts: 3135; Member since: Apr 15, 2016

Every new update is just fixing bug that shouldn't be there in first place, while adding new bug that will get fixed in the next update. And sheeple will still bragging about how iOS always release updates every now and then.. Monthly stable and bug-free update > Weekly bugged update with a chance of bricking device.

3. Gustavoar

Posts: 22; Member since: Jan 13, 2016

That's when you see that those full roll-outs are dangerous and even though not having a good image with the end-user, the staged roll-outs that Google does is much better to avoid those kind of bugs hitting everyone.

6. Crispin_Gatieza

Posts: 3157; Member since: Jan 23, 2014

Yeah sure, the Pixel series has been such a successful, bug-free release. Nigg* please.

8. Gustavoar

Posts: 22; Member since: Jan 13, 2016

That has nothing to do with what I said. I was talking about problems that can occur when pushing updates over the air to end users. The pixel problems has nothing to do with over the air updates...

12. Trex95

Posts: 2383; Member since: Mar 03, 2013

Just disable Siri from lock screen and you good to go.

14. Venom

Posts: 3747; Member since: Dec 14, 2017

Ignorance is Bliss.

5. syntaxlord

Posts: 239; Member since: Oct 01, 2018

Sh*t I literally just updated...

11. Valdomero

Posts: 698; Member since: Nov 13, 2012

Meh I disabled Siri the moment I activated my iPhone, so nothing to worry about. Besides, why update immediately? I always wait a week or two to see what exploits are up and decide whether is viable or not to update.

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.