New iPhone Exploit Lets You Bypass Someone's Lock Screen Using Siri & FaceTime
With the recent news that New York County's District Attorney's office is trying to get into over 400 locked iPhones for use in criminal investigations, you can see why it's important to keep other people away from your personal data. The fact that it can and will be used against you in a court of law is just one reason to protect your phone, because even if you make sure to stay above the fray, identity theft and bank fraud are still very real threats.
If you've set up Touch ID and passcode to lock your iPhone, you'll rightly think that your personal data is protected. But, as iDeviceHelp just discovered, there's no such thing as infallible security.
The YouTuber posits a scenario where a bad guy stumbles across someone's lost iPhone. He goes on to show how easy it would be to get personally-identifiable information about the device's owner just by asking Siri "Who am I?" Then, armed with that information, he proceeds to break into (supposedly) locked areas of the iPhone by simply making a call with FaceTime.
As you can see in the video, iDeviceHelp was able to access sensitive information like contacts just by having Siri enable the VoiceOver accessibility setting during a FaceTime call. He states that once he's gotten to that point, he could dig deeper to find even more personal info—such as all of the photos on the iPhone—and that's with the iPhone in question running the latest version of iOS 10.2. Here are the full steps to recreate this:
- Ask Siri "Who am I?" on the target iPhone.
- Call the target iPhone using FaceTime.
- On the target iPhone, tap on "Message" on the call screen, then "Custom."
- Ask Siri to "Turn on VoiceOver," then exit Siri.
- Double-tap on the contact bar where "To: person" is, then immediately tap on the keyboard. This may take a few tries.
- When the Camera, Digital Touch, and iMessage apps icons appear, ask Siri to "Turn off VoiceOver."
- Exit Siri, then type a letter on the keyboard to find contacts that begin with that letter.
- Look for a contact with an info icon, then tap on the "i."
- You're now in that contact's info.
- Hit "Create New Contact."
- Select "add photo" in the top-left.
- Finally, select "Choose Photo," and you'll have access to the entire iPhone's photos, even though the iPhone is still locked.
EverythingApplePro was able to recreate this too, as you can see below in his video. He also stated this should work for iPhones running iOS 8 to iOS 10.2, though, step 6 above may look different depending on the version number.
Luckily, there is a way to protect yourself from this particular hack—just disable Siri on your lock screen in Settings. Without the voice assistant, that "Who am I?" trick wouldn't work, nor would enabling VoiceOver.
But even then, there's no way to tell what the next lock screen bypass hack will rely on (we've seen pretty much everything over the years), so you should protect your iPhone as if it contained everything that's precious to you—because it probably does. And to make yourself even safer from outside threats and prying eyes, be sure to visit our iOS 10 security settings article below.