CVE-2024-40851 is a vulnerability identified in Apple’s iOS and iPadOS platforms that permits an attacker with physical access to a locked device to access contact photos directly from the lock screen. The root cause is insufficient restriction of options available on the lock screen, which inadvertently allows viewing of contact images without unlocking the device or requiring user interaction. This vulnerability affects all versions prior to iOS and iPadOS 18.1, where Apple implemented a fix by restricting the lock screen options to prevent unauthorized access to contact photos. The vulnerability has a CVSS 3.1 base score of 2.4, indicating a low severity primarily due to the limited confidentiality impact and the requirement for physical access. There is no impact on integrity or availability, and no privileges or user interaction are needed beyond physical possession of the device. No known exploits have been reported in the wild, suggesting limited active exploitation. The vulnerability mainly raises privacy concerns, as contact photos can reveal personal or sensitive information about the device owner’s contacts, potentially aiding social engineering or targeted attacks. The fix involves software updates that restrict what can be accessed from the lock screen, thereby closing the information leakage vector.

The primary impact of CVE-2024-40851 is a privacy breach, as unauthorized individuals with physical access to a locked iOS or iPadOS device can view contact photos without unlocking the device. While this does not compromise device integrity or availability, it exposes personal information that could be leveraged for social engineering or targeted phishing attacks. For organizations, especially those handling sensitive communications or operating in regulated industries, this could lead to indirect risks such as identity exposure or reputational damage. The requirement for physical access limits the scope of exploitation, making remote attacks infeasible. However, in environments where devices are frequently unattended or lost/stolen, the risk is more pronounced. The impact is generally low but should not be dismissed in contexts where privacy is critical.

To mitigate this vulnerability, organizations and users should promptly update all affected Apple devices to iOS or iPadOS version 18.1 or later, where the issue is resolved. Beyond patching, organizations should enforce physical security controls to prevent unauthorized physical access to devices, such as secure storage and device tracking. Additionally, configuring lock screen settings to minimize displayed information and disabling features that expose contact details on the lock screen can reduce exposure. Training users on the importance of physical device security and awareness of privacy risks related to contact information leakage is also recommended. For high-security environments, consider implementing mobile device management (MDM) policies that restrict lock screen functionalities and enforce encryption and strong authentication methods.