Affiliate Disclosure: By buying the products we recommend, you help keep the lights on at MakeUseOf. Read more.
A new vulnerability in the latest version of iOS allows thieves to view the photos on your iPhone and iPad—bypassing your passcode!
They can then select pictures from your camera roll and forward them on using Apple’s iMessages.
A bug that lets strangers see and share your personal images is a major concern for your smartphone security. So how is it done? What could the consequences be? And how can you protect yourself from this and similar exploits?
How Can You Tell If You’re at Risk?
This particular vulnerability was spotted by Jose Rodriguez, a security enthusiast who has previously uncovered a bug in iOS 12. The issue meant anyone with physical access to your handset could get past encryption and access your list of contacts; Apple patched this with the next update, iOS 12.0.1.
However, Rodriguez discovered another exploitation, which is yet to be fixed (at the time of writing). And even if Apple does update its operating system, that doesn’t mean you’re running the latest version. Take a look to see which OS version you’re running by opening Settings > General > About.
You’ll find many details about your smartphone, including capacity, how many photos you have, and the current iOS version.
Ensuring the latest system is installed on your device is one of the key essentials for maintaining security.
How Do Hackers Get Into Your iPhone?
To do this, a criminal must have physical access to your phone. It can’t be done remotely.
Hackers bypass your passcode by asking Siri “who am I?” This displays the device’s contact details, which the thief can then call via another smartphone. But instead of answering the call, they go through Messages > Custom to reply using SMS or iMessages.
They enable VoiceOver, a handy feature for the visually-impaired, which makes the phone read out whatever’s on screen. Once located on the blank screen, it can also allow access to the Photo Library.
The iMessage interface reappears, albeit without the keyboard. Instead, it looks like a blank segment at the bottom of your screen. This is actually where the iPhone’s photos are displayed—although at that time, they’ll be invisible. Nonetheless, VoiceOver can read out the images’ characteristics. The hacker can subsequently select pictures and forward them onto another number.
It sounds quite complicated, but it isn’t.
Naturally, we don’t advise you to do this.
We certainly don’t advocate criminal practices, and if you want to try it on your own phone, some users have noted performance issues afterwards.
Why Should You Worry About This?
It’s bad enough to consider someone having your phone, let alone that they can view your camera roll.
Encryption is only as good as your password.
— ?? (@liamgh_) June 29, 2016
Anyone can do this. They don’t need to have stolen your smartphone (though there are plenty of ways they can profit from doing so). Let’s say you’ve left your iPhone on your desk at work while you go to lunch or on a toilet break. A peer can check out your private pictures, and, if they’re feeling especially malicious, forward them on to others.
But why would someone want to do this?
If it’s one of your “friends” or colleagues, they might have simply done it to wind you up. There’s a more sinister possibility, however: blackmail.
You could be tricked into thinking they have complete access to your gallery. There have been too many high-profile cases involving iCloud being hacked. Finding out someone else has even a few of your photos can be enough to convince you they can access everything. In the worst instances, this can lead to extortion—even sextortion, where hackers use personal images and videos to elicit further NSFW material.
But let’s make this clear: it’s very unlikely this will happen to you. Then again, why would you want to take that risk?
How Can You Protect Yourself?
Worried about how you can keep your device secure? It’s actually very simple.
Some would suggest turning off Siri. That’s the Scorched Earth method, so while that would work, you don’t need to do that for this issue.
Yes, toggling Siri can be a pain, especially if you use it to navigate your device anyway. Nonetheless, this isn’t the first time voice assistants have been used to exploit smartphone security. Disabling Siri now at least means you’re protected from this particular bug and you’re future-proofing yourself against similar vulnerabilities.
To do this, go to Settings > Siri & Search. You’ll see three options: Listen for “Hey Siri”; Press Home for Siri; and Allow Siri When Locked—toggle these off. Your iPhone will warn you about the consequences of disabling Siri, but just click Turn Off Siri in the pop-up.
However, if you’re not too worried about future exploits, you don’t need to turn all these off. Instead, just switch off Allow Siri When Locked.
Can You Still Trust iPhone Passcodes?
If they can be overcome so easily (or so it seems), you might be worried having a passcode is pointless. That’s certainly not the case.
Having a passcode typically means your personal information is protected from thieves and cybercriminals. It encrypts your data, rendering it unreadable, so, in theory, they can’t access your messages, financial details, social media accounts, photos, or anything else.
Okay, there are ways to get around it: you have to make sure it’s not something simple like “1234” or “1111” because anyone who has stolen your device will naturally try those first. With a more complex key, your data is generally secure.
However, government agencies like the National Security Agency (NSA) and the police have begun to employ sophisticated software to hack into encrypted smartphones.
Criminals are increasingly turning to iCloud to get to your private information. Nonetheless, a passcode is still the most secure method of safeguarding your iPhone, so please use this essential line of defense.