Apple recently fixed critical security vulnerabilities with iOS 14.8. However, a new iOS vulnerability discovered by researcher José Rodriguez allows bad actors to bypass the iPhone lock screen and access the Notes app by leveraging a combination of VoiceOver and common sharing tools.
On Monday, Rodriguez took to YouTube to show the exploit which is operable on iOS 14.8 as well as iOS 15. In the video, to bypass the iPhone’s lock screen, Rodriguez first asked Siri to switch on VoiceOver and navigate to Notes in the Control Center. A new note field opens, but no user content is revealed at this point. Rodriguez proceeded to invoke the Control Center and open the stopwatch function. Next, he accesses the previously opened Notes app via VoiceOver.
Instead of showing the empty Note, Rodriguez was granted access to the Notes database including saved content. Rodriguez had saved an example Note with text, an audio recording, an HTML link, a contact card, and more. Then, one could use the VoiceOver’s rotor to select and copy the note that can be exported to a second iPhone. In one of the scenarios demonstrated, the target device is called by the second iPhone. The bad actors can decline the call and paste the copied text into a custom Message response. Alternatively, the text can be pasted into Messages if the second iPhone sends a text message to the device being attacked.
Thankfully, this vulnerability has several caveats associated with it. First off, the attacker would need physical access to the victim’s iPhone. Secondly, the device must have Siri activated, Control Center available on the lock screen, and Notes and Clock accessible via the Control Center. In order to transfer the captured data, the attacker must know the victim’s phone number to place a call or send a message as described earlier. Additionally, this exploit does not work with passcode-protected notes.
Apple previously awarded Rodriguez $25,000 for discovering another lock screen bypass vulnerability allowing access to Notes. Apple designated his discovered vulnerability as our “partial access” bug leading to partial extraction of sensitive data. This limited his reward payout to a maximum of $100,000. Rodriguez told AppleInsider that this time, he uploaded the exploit to YouTube instead of reporting it through Apple’s Bug Bounty program because he hopes to shed light on the difficulties with the initiative.
While it would be challenging for bad actors to exploit this vulnerability, until a fix is released, you can simply disable Siri or restrict lock screen access to Control Center in Face ID & Passcode settings to stay safe. You can also protect your Notes with the passcode.[via AppleInsider]