The FaceTime group feature, deployed with iOS 12.1, has been hijacked to access the contacts of any iPhone, even when locked.
This is a tale that comes up a little too often: every time an operating system update is released, a computer security researcher finds a combination in the new features that allow access to data that should remain private. Jose Rordriguez, a Spanish researcher, showed that the FaceTime group feature (videoconferencing up to 32 people at the same time) allowed access to contacts and their information on a locked iPhone.
HOW THE BUG WORKS
The exploit provides access to all contact informations on an iPhone, and involves activating a FaceTime call and accessing the new group FaceTime feature to see contact information without a passcode. This particular exploit only works on iOS 12.1, it require physical access to an iPhone.
HOW TO PROTECT YOURSELF
While waiting for a fix from Apple, which has been made aware, you can protect yourself in ways that mitigate the danger. For example, disabling Siri on the lock screen. Therefore, if the attacker does not know your phone number, he will not be able to access it, nor will he be able to call you by voice command.