Apple's new iOS 13 iPhone update has a security flaw that lets you bypass the lock screen to view contact lists
Crystal Cox/Business Insider
- Apple's latest iPhone software update includes a bug that makes it possible to access a device's contact list without unlocking the phone.
- A researcher turned up the flaw in the beta version of the new iOS 13, and says he told Apple about it in July. However, it's still present in the general release of the software, which went out to iPhones this week.
- Apple has already announced its next software update, iOS 13.1, which will roll out next week on September 24th. An Apple spokesperson told Ars Technica that this update has a fix for the bug in question.
- Read more about iOS 13 here.
When new versions of iOS include bugs, they typically come as a surprise. But the world was aware of a potential security bug in the new iOS 13 update well before its formal release this week - and despite that awareness, the bug appeared in the version that was released to iPhone users.
The bug is a security flaw that makes it possible to access a device's contact list without unlocking the phone first. It was first uncovered in the public beta version of iOS 13 that was released to developers by Jose Rodriguez, a tech researcher who demonstrates the bugs in this video.
In the description of the YouTube video, Rodriguez claims he notified Apple of the flaw on July 17. He posted a video of his method in August, and just about a week ago, circulated a new video that garnered widespread news coverage.
To exploit the flaw, it seems, all one has to do is receive a FaceTime call on their iPhone and then use Siri's voiceover feature - which lets users control their phone with their voice - to send a text message. Once in the screen for sending a text message, users can easily search the phone's entire contact list just by clicking the field to choosing a recipient.
This process takes a few minutes, so the bypass could only be carried out by someone who has physical possession of a stolen device - the type of attacker that security measures like passcodes, TouchID, and FaceID are meant to keep out.
Apple did not immediately respond to a request for comment from Business Insider, and has not made any public statement on the bug. However, Apple has already moved up the release of iOS 13.1, which will roll out next week on September 24th and include a number of bug fixes - and a spokesperson told Ars Technica that the 13.1 update will fix the problem.
The presence of bugs in iOS 13 has already been widely documented. Earlier this week, the US Department of Defense instructed its employees and contractors not to download iOS 13 and to instead wait until the release of iOS 13.1, Inc. reported. Outside the public sector, users have reported running into their share of bugs themselves.