Skip to main content

iOS 12.1 exploit bypasses the lockscreen for access to contacts

iOS 12.1 exploit bypasses the lockscreen for access to contacts


Another iOS lockscreen security bug

Share this story

If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.

Apple released its latest iOS 12.1 update to devices earlier this week, and security researchers have already discovered a new lockscreen bypass. The exploit provides access to all contact information on an iPhone, and involves activating a FaceTime call and accessing the new group FaceTime feature to see contact information without a passcode.

This particular exploit only works on iOS 12.1, and was discovered hours after Apple released the update on Tuesday. We’ve tested this exploit and can confirm it works on iOS 12.1. It follows yet another lockscreen bypass in the previous iOS 12.0.1 update that allowed attackers to steal recent photos from a device. Both attacks require physical access to an iPhone, and are particularly troublesome for victims of domestic abuse or anyone who leaves a phone unattended in a shared space.

Apple has a long history of lockscreen bypass bugs. A bug in iOS 6.1 back in 2013 allowed attackers to access phone records, contacts, and photos freely. iOS 7 also included a similar security hole, and researchers found a rather elaborate way to bypass the iOS 8.1 lockscreen just a few years ago. Lockscreen bugs with iOS are almost as common as Daylight Saving Time (DST) bugs, which Apple has struggled with over the years.