Jose Rodriguez, a Spanish security researcher, and an iPhone enthusiast has managed to find a passcode bypass bug that allows attackers to access the contacts list on a locked iPhone. Rodriguez shared a video (see below) with The Hacker News to show how the bug works.
As detailed in the video, the passcode bypass bug is present in a new feature introduced in iOS 12.1 called Group FaceTime. This bug can be exploited by either receiving a phone call or asking Siri to make a phone, and by changing the call to FaceTime. Once switched to a FaceTime call, go to the bottom right menu and select “Add Person.” This will give access to the complete contact list of the targeted iPhone in spite of the device being locked. Further, by using the 3D Touch feature, you can see additional information of every contact in the contact list. According to Rodriguez, the new passcode bypass bug would work on only those iPhone models that support Apple’s Group FaceTime added in the iOS 12.1 release, as the attack utilizes Apple’s Facetime. The researcher also found that the hack works even without having Siri or VoiceOver screen reader feature enabled on a target iPhone. Last month, a similar passcode bypass bug was discovered by Rodriguez in iOS 12 that takes advantage of Siri and VoiceOver screen reader and allows an attacker to access photos and contact details on a locked iPhone XS as well as other Apple devices.