The iOS 12.1 Group FaceTime bug allows viewing the details of a locked iPhone.

By Malcolm Owen
On Thursday, November 01, 2018 at 10:21 am Eastern Time (13:21 ET)

A bug has been discovered in the way iOS 12.1 handles FaceTime group calls. A bug can allow a hacker to access the details of a contact stored on an iPhone without having to unlock the smartphone.

The public release of iOS 12.1 allowed iPhone and iPad users to make FaceTime group calls, which extends the existing FaceTime feature to allow 32 callers to participate in a video conference. While the change increases the caller 's limit by two, the mechanism for adding contacts also seems subject to abuse, even when the iPhone is locked.

Security researcher Jose Rodriguez discovered the problem, reports The hacker News, which operates a number of items in iOS that Apple allows to use without unlocking the iPhone.

In the video demo, the attacked iPhone is called by another iPhone and the call is made. Once connected, Rodriguez makes the transition from the call to a FaceTime video call, then in the menu at the bottom right, selects "Add Person".

By pressing the Plus icon, the device's contact list is displayed in the process to add a new user. Rather than add, the use of 3D Touch on each contact can display more details, including email addresses, phone numbers and other information.

The attack itself will work on all iPhones running iOS 12.1, including the iPhone XS and the iPhone XS Max, but apparently not on the iPhone XR. AppleInsider tried to perform the same test on an iPhone XR, but if the contact list can be displayed in locked mode, the lack of 3D Touch means that additional contact data is not available.

Rodriguez has already discovered other ways to access contacts and data from a locked iPhone. Methods revealed in September and October included the VoiceOver screen reader function and, in one case, the Notes application. The latest discovery is a much simpler process and does not require VoiceOver to be active, making it usable on a larger number of devices.

It should be emphasized that this type of attack on a device has a very limited scope. The attacker must both physically access the device and call from another iPhone to access FaceTime in the first place. The information that can be collected only concerns contacts. Therefore, the private data of a user stored on the iPhone risk.

It is likely that Apple will release a fix for this vulnerability in a future iOS update, but it is unclear how long users will have to wait before publishing it.