CVE-2024-27819 in iOSinfo

Summary

by MITRE • 06/11/2024

The issue was addressed by restricting options offered on a locked device. This issue is fixed in iOS 17.5 and iPadOS 17.5. An attacker with physical access may be able to access contacts from the lock screen.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 04/03/2026

The vulnerability described in CVE-2024-27819 represents a significant security flaw in Apple's mobile operating systems that allows unauthorized access to sensitive contact information through the lock screen interface. This issue specifically affects devices running iOS and iPadOS versions prior to 17.5, where the security restrictions implemented on locked devices were insufficient to prevent data access. The flaw demonstrates a critical weakness in the device's authentication and authorization mechanisms, particularly when physical access is obtained by an attacker. According to industry standards such as CWE-284, this vulnerability falls under improper access control issues where the system fails to properly enforce access restrictions, allowing unauthorized entities to bypass security measures that should protect sensitive data. The vulnerability specifically relates to the lock screen's handling of contact information, which should be restricted to authorized users only.

The technical implementation of this vulnerability stems from inadequate restrictions on the lock screen interface where users can access contact information without proper authentication. When a device is locked, the system should enforce strict access controls that prevent unauthorized individuals from viewing sensitive data, including contact details, calendar entries, and other personal information. However, in affected versions, the lock screen presented options that allowed attackers with physical access to browse through contacts without entering a passcode or using biometric authentication. This represents a failure in the device's security model where the user interface elements remain accessible even when the device is secured, creating an attack surface that should be closed. The flaw operates under the principle that the lock screen should act as a barrier to unauthorized access, but in this case, that barrier was insufficiently enforced. This vulnerability aligns with ATT&CK technique T1217 which describes the exploitation of system vulnerabilities to gain access to protected information.

The operational impact of this vulnerability extends beyond simple privacy concerns to encompass potential identity theft, social engineering opportunities, and unauthorized access to personal communication networks. Attackers with physical access to a locked device could compile comprehensive contact lists containing phone numbers, email addresses, and other personal identifiers that could be used for targeted attacks, phishing campaigns, or other malicious activities. The vulnerability is particularly concerning because it requires no network connectivity or specialized tools to exploit, making it accessible to anyone with physical possession of the device. This type of attack is classified as a local privilege escalation or unauthorized access attack, where the attacker leverages their physical presence to bypass security controls. The risk is elevated because the attack vector is simple and the impact is significant, potentially exposing thousands of contacts to unauthorized access. Organizations and individuals who rely on mobile devices for sensitive communications face increased risk of targeted attacks when this vulnerability exists.

The fix implemented by Apple in iOS 17.5 and iPadOS 17.5 addresses this vulnerability by strengthening the access control mechanisms on the lock screen interface. This update ensures that contact information and other sensitive data are properly restricted when the device is locked, requiring proper authentication before access is granted. The solution involves modifying the lock screen behavior to remove or disable options that allow browsing of contact information without proper credentials. Security researchers and vulnerability analysts have noted that this update represents a comprehensive approach to addressing the access control weakness, implementing proper security boundaries that prevent unauthorized access to personal data. Organizations should prioritize updating their devices to the latest iOS and iPadOS versions to mitigate this risk, as the vulnerability creates a persistent threat to user privacy and data security. The fix aligns with security best practices outlined in NIST guidelines for mobile device security, which emphasize the importance of proper access control and authentication mechanisms. Without this update, devices remain vulnerable to attacks that exploit the fundamental security principle that locked devices should remain inaccessible to unauthorized users. The vulnerability serves as a reminder of the critical importance of maintaining up-to-date security patches and the potential consequences of failing to implement timely fixes for known security issues.

Reservation

02/26/2024

Disclosure

06/11/2024

Moderation

accepted

CPE

ready

EPSS

0.00259

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!