CVE-2024-44139

Vulnerability

A lock screen vulnerability in iOS and iPadOS prior to version 18 allows an attacker with physical access to the device to access contacts without authentication. The issue was addressed with improved checks in iOS 18 and iPadOS 18. Affected devices include iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later [1].

Exploitation

An attacker with physical access to an unlocked or locked device can exploit this vulnerability to view contacts. The exact exploitation method is not disclosed in available references, but it requires physical proximity and access to the device's lock screen [1].

Impact

Successful exploitation allows the attacker to read contact information stored on the device, leading to unauthorized disclosure of personal data. The attacker gains access to contact names, phone numbers, email addresses, and other details without needing to unlock the device [1].

Mitigation

The vulnerability is fixed in iOS 18 and iPadOS 18, released on September 16, 2024. Users should update their devices to the latest operating system version. No workarounds are provided for devices that cannot be updated [1].