This weekend I discovered a pretty massive security fail on the iPhone 4S. As you might know, you can set a security pin code to prevent unauthorized use of an iPhone handset.
You might also be aware of the new Siri feature built into the iPhone 4S. Assuming you have Siri enabled, then out of the box the following is possible (as of time of writing):
You can hold the home button to activate Siri – whether the handset is locked or not. Once activated, you can direct Siri to perform specific actions – for example, making a phone call!
I’ve tested the following scenarios/commands –
- “Call Paul” (assuming you have a person named ‘Paul’ in your contacts)
- Will list matching entries in the Contact List
- Will dial a selected contact
- I assume this will worj with any contact
- “Call <a number>”
- e.g. “Call 12345”
Interestingly, if you issue the command “Unlock the Phone”, Siri responds with “I’m sorry, I can’t do that”.
So, there’s a pretty blatant hole in the iPhone security model – not only can you dial arbitrary phone numbers with Siri’s help, you can also expose contacts in the contact’s list.
It also appears that Siri will conduct web searches (e.g. “What is the capital of Columbia?”) while the handset is locked – using up your data plan.
Now, how about some bonus security flaws? You can also send messages via Siri. The command “Send a message to Paul” will take you through steps to select a contact, select a number and then will record a message and allow you to send – all while the handset is locked.
Cupertino says: Oops.
Update
As a few people have communicated (many thanks), it is possible to disable Siri while the handset is locked (as opposed to disabling Siri altogether). This is not the default configuration (unfortunately!) which means (IMHO) this is still a fairly significant flaw. To disable Siri when the phone is locked, go to:
Settings -> General -> Passcode Lock -> Siri. Set ON -> OFF.
Again, note this will disable Siri when the phone is locked rather than switching Siri off altogether.
Note: I’m not the first to discover this, here’s more reading on the topic:
Further Reading
http://tech2.in.com/news/smartphones/siri-makes-phone-calls-even-if-phone-is-locked/250662
http://mashable.com/2011/10/19/siri-lets-you-make-calls-on-passcode-locked-iphone-4s/
http://www.techradar.com/news/computing/apple/siri-security-flaw-uncovered-1035270
Just-In-Time Credit
Tip o’ the hat to my co-contributor, Paul Doessel, for the initial discovery and further testing
3 thoughts on “iPhone 4: Siri Security Fail”
This is the default configuration, but you can lock out Siri:
Settings ->General -> Passcode Lock -> Siri. Set ON -> OFF.
That’s a good point, I was trying to locate this setting last night. Shame it’s “ON” by default.
Here’s another golden bonus….. Siri lets you update your FB or Twitter status while your phone is locked…
Unbelieveable! 🙁