CVE-2024-44139 is a vulnerability identified in Apple’s iOS and iPadOS platforms that allows an attacker with physical access to a device to access the contacts list directly from the lock screen. This issue is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and results from insufficient access control checks on the lock screen interface. The vulnerability does not require any user interaction or prior authentication, making it a direct physical access risk. However, the scope is limited to viewing contact information only, without the ability to modify data or affect device integrity or availability. Apple addressed this vulnerability in iOS 18 and iPadOS 18 by implementing improved access control mechanisms that prevent unauthorized access to contacts when the device is locked. The CVSS v3.1 base score is 2.4, indicating a low severity primarily due to the requirement of physical access and limited impact on confidentiality. No known exploits have been reported in the wild, suggesting limited active threat at this time. The vulnerability highlights the importance of securing physical access to mobile devices, especially in environments where sensitive contact information is stored.

For European organizations, the primary impact of CVE-2024-44139 is the potential exposure of sensitive contact information if an attacker gains physical access to an iOS or iPadOS device. This could lead to privacy breaches, social engineering, or targeted phishing attacks based on the exposed contacts. While the vulnerability does not allow modification or deletion of data, the confidentiality breach could undermine trust and compliance with data protection regulations such as GDPR. Organizations with employees who use Apple mobile devices for business communications are at risk, especially if devices are lost, stolen, or left unattended. The impact is mitigated by the requirement for physical access and the availability of patches in the latest OS versions. However, failure to update devices could increase the risk of unauthorized contact data disclosure, which may have reputational and regulatory consequences.

European organizations should ensure all iOS and iPadOS devices are updated to version 18 or later, where the vulnerability is fixed. Implement strict physical security policies to prevent unauthorized access to devices, including secure storage and use of device locks. Enable additional device security features such as Face ID or Touch ID and enforce strong passcodes to reduce the risk of physical access exploitation. Educate employees about the risks of leaving devices unattended and the importance of reporting lost or stolen devices immediately. Consider deploying Mobile Device Management (MDM) solutions to enforce security policies, remotely lock, or wipe devices if compromised. Regularly audit device compliance and update security configurations to minimize exposure. Additionally, limit the amount of sensitive contact information stored on mobile devices where feasible.