CVE-2024-44139 is a vulnerability identified in Apple’s iOS and iPadOS operating systems that allows an attacker with physical access to a device to access the contacts list directly from the lock screen. The root cause is insufficient enforcement of access control checks on the lock screen interface, which permits unauthorized viewing of contact information without requiring device unlock, authentication, or user interaction. This vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The issue was addressed by Apple in iOS 18 and iPadOS 18 through improved validation and access control mechanisms that prevent contacts from being exposed when the device is locked. The vulnerability does not allow modification or deletion of data, nor does it affect device availability, limiting its impact to confidentiality. The CVSS v3.1 base score is 2.4, indicating a low severity primarily due to the requirement of physical access and the limited data exposure. No known exploits have been reported in the wild, suggesting limited active exploitation. However, the exposure of contact information could facilitate social engineering attacks or targeted phishing attempts by providing attackers with valuable personal data. The vulnerability affects all devices running iOS and iPadOS versions prior to 18, which includes a broad range of Apple mobile devices globally.

The primary impact of CVE-2024-44139 is the unauthorized disclosure of contact information from locked iOS and iPadOS devices. For organizations, this could lead to privacy violations and potential leakage of sensitive business contacts, which may be leveraged in social engineering or spear-phishing campaigns. Although the vulnerability does not allow modification of data or device compromise, the exposure of contacts can facilitate further attacks by providing attackers with trusted contact details. This risk is particularly significant in environments where devices are frequently left unattended or lost, such as in corporate settings, public spaces, or during travel. The limited requirement of physical access restricts the scope of exploitation but does not eliminate risk, especially for high-profile targets or in scenarios involving theft or unauthorized device access. The vulnerability’s low severity score reflects its limited direct impact on device integrity or availability but does not diminish the importance of protecting sensitive contact information. Organizations relying heavily on Apple mobile devices should consider the potential privacy and operational risks associated with this exposure.

To mitigate CVE-2024-44139, organizations and users should promptly update all affected Apple devices to iOS 18 or iPadOS 18, where the vulnerability has been fixed with improved access control checks. Until updates are applied, users should minimize the risk by configuring device lock screen settings to restrict access to contacts and other sensitive information, such as disabling features like 'Show Contact Info' or 'Reply with Message' from the lock screen. Physical security controls should be enhanced to prevent unauthorized access to devices, including enforcing strict policies on device handling and storage. Employing mobile device management (MDM) solutions can help enforce security policies and ensure timely updates across organizational devices. Additionally, educating users about the risks of leaving devices unattended and the importance of promptly reporting lost or stolen devices can reduce exposure. Regular audits of device configurations and lock screen settings can help identify and remediate potential weaknesses. Finally, organizations should monitor for any emerging exploits targeting this vulnerability and adjust their security posture accordingly.