The hack works on the latest iOS 12 beta and iOS 12 operating systems, as demonstrated by Rodriguez in a couple of videos he published on YouTube (Videosdebarraquito).
The passcode bypass vulnerability affects a number of other iPhone models including the latest model iPhone XS.
An attacker can access the images on the devices by editing a contact and changing the image associated with a specific caller.
Apple has addressed the issue allowing images to be viewed via contacts, but Rodriguez devised a new method to circumvent the mitigations implemented by Apple.
The attack exploits the VoiceOver feature that enables accessibility features on iPhone, for this reason, the vulnerable device needs to have Siri enabled and Face ID either turned off or physically covered.
A step by step guide for the Rodriguez’s attack was published by the website Gadget Hacks.
In November 2017, experts discovered a flaw in iOS 8 and newer versions of the Apple OS that allowed bypassing the iPhone Passcode protection, even when Touch ID was properly configured, and access photos and messages stored on the device.
(Security Affairs – iPhone XS, hacking)