CVE-2024-54470 is a logic vulnerability identified in Apple’s iOS and iPadOS operating systems that allows an attacker with physical access to a device to access the contacts list directly from the lock screen. The root cause is a flaw in the access control logic that fails to properly enforce authentication requirements before displaying contact information. This vulnerability compromises the confidentiality of user data by exposing contact details without unlocking the device. The issue was addressed by Apple through improved access checks implemented in iOS 17.7.1, iPadOS 17.7.1, iOS 18.1, and iPadOS 18.1. The CVSS v3.1 base score is 4.6, reflecting medium severity, with an attack vector requiring physical access (AV:P), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). The scope remains unchanged (S:U), and the impact is high on confidentiality (C:H) but none on integrity (I:N) or availability (A:N). No known exploits have been reported in the wild, but the vulnerability poses a privacy risk especially in scenarios where devices are lost, stolen, or temporarily unattended. The weakness is categorized under CWE-862 (Missing Authorization).

The primary impact of CVE-2024-54470 is the unauthorized disclosure of contact information from locked Apple mobile devices, which can lead to privacy violations and potential social engineering or targeted attacks against the device owner or their contacts. Organizations that rely on Apple devices for sensitive communications may face increased risk of data leakage if devices are physically compromised. Although the vulnerability does not allow modification or disruption of device functions, the exposure of contact data can facilitate further attacks such as phishing or identity theft. The requirement for physical access limits remote exploitation, but the risk remains significant in environments where devices are shared, lost, or stolen. This vulnerability could undermine trust in device security and complicate compliance with data protection regulations that mandate safeguarding personal information.

To mitigate CVE-2024-54470, organizations and users should promptly update affected devices to iOS 17.7.1, iPadOS 17.7.1, iOS 18.1, or iPadOS 18.1 where the vulnerability is fixed. Beyond patching, enforcing strong physical security controls to prevent unauthorized access to devices is critical. This includes policies for secure device storage, use of biometric or strong passcodes, and disabling lock screen features that expose sensitive information such as contact previews or widgets. Administrators should review and configure device settings to minimize data exposure on the lock screen, including restricting access to Siri, notifications, and other interactive elements. Regular training and awareness programs can help users understand the importance of physical device security. For high-risk environments, consider implementing mobile device management (MDM) solutions that enforce security policies and enable remote wipe capabilities if devices are lost or stolen.