Jose Rodriguez, a Spanish Apple enthusiast, has discovered a new security flaw to be aware of. He posted a Proof of Concept video showing the exploit in action.
We'll say upfront that this is a highly convoluted attack involving more than two dozen discrete steps. A hacker would need to be in possession of the phone to pull it off, so it's not something that's likely to become a major threat.
Even so, we'll provide the details below.
Apple has built in security measures that are designed to prevent someone from tricking Siri into allowing unauthorized access to the phone. Unfortunately, by using a complex series of steps involving both Siri and Apple's Notes application, it's possible for a hacker to bypass those security measures, access images stored on the phone, and then change the image associated with a contact or the owner of the phone.
This method is effective on both iOS12 and the iOS 12.1 beta, which means that Apple's recent patch to their OS does not and will not prevent this exploit from working. Worse, the company has yet to comment on the matter, so at this point, there's no timetable for a fix.
The independent news site Threatpost has been able to replicate the attack, so we have third-party confirmation.
Fortunately, there's a simple way to negate the attack entirely while we're waiting for a patch to close the loophole once and for all. Simply go to Settings - Face ID & Passcode - Touch ID & Passcode, and disable the "Allow access when locked" option for Siri.
Again, it's important to reiterate that this is a highly complex attack that involves having both physical access to the device and more than two dozen steps, so this is not an issue that's likely to be widespread. Even so, it pays to take precautions until Apple can roll out a fix.