Critical iPhone bug lets kids bypass parental controls: Details here
Just recently, Apple released iOS 13.3 with some major bug fixes and parental control improvements for iPhones. The company added new capabilities to let parents control who their kids can call, text, or FaceTime from their devices. However, as it turns out, the release carries serious flaws that allow kids to bypass these restrictions, just as easily. Here's all about it.
First, a quick recap on latest parental control changes
With iOS 13.3, Apple introduced an option called Community Limits in the Screen Time setting. The feature allows the organizer of the family - who sets up family sharing on every member's device - to choose kids' accounts and pick if they can text/call/FaceTime everyone, all address-book contacts, or a subset of them. The restriction worked according to the screen time chosen by parents.
However, there are some bugs in the feature
While the feature sounds promising, the folks at CNBC found that some bugs related to iCloud's contact syncing allow kids to bypass call/text restrictions set by their parents. Essentially, they noted that if an iPhone's contacts aren't stored on iCloud, parental controls designed to prevent its owner's communication with strangers (that are not in the phone's address book) doesn't work properly or kick in.
Exploits demonstrated to bypass parental controls
CNBC demonstrated exploits to bypass parental controls by configuring an iPhone to prevent communication with any number that's not in its address book. In one case, when an unknown message appeared, iMessage displayed a warning saying that it's a restricted contact. However, it also provided an 'Add contact' button that allowed the owner to add that number into their address book and chat indefinitely.
PIN should have prevented addition of new contact
If the feature had been working properly, a parental PIN would have popped up on the screen, blocking the attempt to add the unknown contact and chat with them without any limit. However, that didn't happen in the test.
Alternatively, Siri can also be asked to text, call
In the second exploit, they showed that Siri on Apple Watch can also be used to bypass parental control. One just has to ask the assistant to call/text a number and it will do it, completing ignoring parental restrictions or the fact that the number of the person being called/texted isn't in the address book of the iPhone to which the watch is paired.
Apple confirmed the bugs, developing fixes
Following the revelation, Apple confirmed the bugs and said it is working on a fix for them. However, despite knowing that the issue can directly put children at risk of getting in touch with strangers, the company didn't say anything about when the patches would be released. It only mentioned that parents can avoid these exploits for now by switching to iCloud contact syncing.
