Researcher Jose Rodriguez told reporters The registerthat the latest version of iOS is vulnerable to the same type of bypass of the lock screen as previous versions. Rodriguez discovered a bug that allows you to open the address book without unlocking the device, back in July of this year, when iOS 13 was in beta.
The attack in action can be seen in the video below. Like other similar bugs, this problem requires physical access to the device. Bypassing the lock screen includes receiving a call and selecting a response to the call with a text message. After that, you need to change the value of the “to” field for this message using the voice-over functionality. As a result, the “to” field provides access to the contact list of the device owner, thereby giving an attacker the opportunity to examine the victim's address book without having to unlock the iPhone.
To prevent such an attack is quite easy, just turn off the ability to answer the call with a text message from the lock screen in the settings. Unfortunately, by default in iOS 13 this feature is active.
Rodriguez told reporters that although this is not a critical bug, he still contacted Apple, informing the company about the vulnerability, and asked for some gift as a reward for his find. Moreover, the expert did not ask for a large monetary reward, it was a question of an Apple Store card with a face value of 1 dollar in order to save it as a trophy. At first, the companies agreed to thank the researcher, but later they told him that there would be no “prize”, since iOS 13 was in beta at that time, and the researcher was not charged for an error found in beta.
The researcher emphasizes that the bug has not yet been fixed and works even in the latest builds of iOS 13, which should be released later this month.
Note that Rodriguez is far from the first to find such vulnerabilities in Apple products. The researcher has repeatedly found different ways to bypass the lock screen. For example, before, such bugs allowed you to access other people's photos.