A new iOS lock screen exploit has been discovered by YouTuber iDeviceHelp, according to iDownload Blog. The bug lets anyone who has your iPhone or iPad bypass the passcode and access your contacts and photos. iDeviceHelp has already informed Apple of the exploit, which should be fixed in a forthcoming update.
In order for someone with malicious intent to gain access to a phone in their possession, all they have to do is first press and hold the Home button on the phone they want to access and then ask Siri “Who am I?” Provided that the owner of the phone has not disabled Siri access on the Lock screen, a contact card for the owner of the phone will pop up with their phone number and any iMessage e-mail addresses associated with the phone. Then you use another phone to launch FaceTime and call the number of the first phone that you just obtained. When that phone rings, tap the Message icon on their Lock screen and choose the “Custom” option in the “Respond with:” menu.
Without going into all the steps required to execute the exploit from this point onwards, it basically requires double-tapping the contact info bar, and then immediately clicking on the keyboard, but it has to be done very quickly in order for the exploit to work.
Also reporting on the story, AppleInsider said that it had been able to make the attack work on an iPhone SE, iPhone 6 Plus, and iPhone 6s Plus, but not the iPhone 7 or iPhone 7 Plus.
Another YouTuber, EverythingApplePro, says that the exploit can be carried out on any phone, going as far back as iOS 8.0.
Until Apple releases a fix for the exploit, it’s best to disable Siri when your phone is locked via the Touch ID and Passcode preferences, and/or take extra care that your iPhone or iPad doesn’t get into the hands of anyone untrustworthy.
Source: New Lock screen bug bypasses iPhone/iPad passcode, lets you see photos/contacts