Jose Rodriguez, a Spanish amateur security researcher, discovered a critical bug in iOS 12 in late September that allows an attacker with physical access to your iPhone to access your personal contacts in photos.

Apple patched the bug in the iOS 12.0.1 release, but Rodriguez discovered a similar iPhone passcode bypass that works in the latest patch and is easier to execute than the previous bug.

The new hack allows anyone with physical access to your locked iPhone to access your photo album, select photos and send them to anyone using Apple Messages.

Since the new hack requires much less effort than the previous one, it leaves any iPhone user vulnerable to a skeptic or distrustful partner, curious college, friend or roommate who could access your iPhone’s photo album and grab your private photos.

The Hacker News

Security Researcher Demonstrates iPhone Lock Screen Bypass

As seen in Jose’s video demonstration, the new hack takes advantage of Siri and her VoiceOver screen reader to get through the iPhone’s defenses.

All current iPhone models, including X and XS devices, running iOS 12 to 12.0.1 are vulnerable to this bug.

Until this latest bug is patched, you can fix the issue by disabling Siri from the lockscreen. Here’s how to do it:

Go to the Settings → Face ID & Passcode (Touch ID & Passcode on iPhones with Touch ID) and Disable Siri toggle under “Allow access when locked.”

Disabling Siri would reduce your phone’s functionality when it’s locked, however, we think the security tradeoff is well worth it. Many business users of iPhone have contacts and photos that may contain sensitive business information.

In fact, we recommend leaving Siri off on the lockscreen permanently, just to say on the safe side. Here at Kirbside and for many of our customers, this is an enforced rule on all corporate devices to prevent data leakage. Want to have control over how mobile devices protect your data? Check out our Stellar IT offering, which includes Mobile Device Management.