This weekend I discovered a pretty massive security fail on the iPhone 4S. As you might know, you can set a security pin code to prevent unauthorized use of an iPhone handset.
You might also be aware of the new Siri feature built into the iPhone 4S. Assuming you have Siri enabled, then out of the box the following is possible (as of time of writing):
You can hold the home button to activate Siri – whether the handset is locked or not. Once activated, you can direct Siri to perform specific actions – for example, making a phone call!
I’ve tested the following scenarios/commands –
- “Call Paul” (assuming you have a person named ‘Paul’ in your contacts)
- Will list matching entries in the Contact List
- Will dial a selected contact
- I assume this will worj with any contact
- “Call <a number>”
- e.g. “Call 12345”
Interestingly, if you issue the command “Unlock the Phone”, Siri responds with “I’m sorry, I can’t do that”.
So, there’s a pretty blatant hole in the iPhone security model – not only can you dial arbitrary phone numbers with Siri’s help, you can also expose contacts in the contact’s list.
It also appears that Siri will conduct web searches (e.g. “What is the capital of Columbia?”) while the handset is locked – using up your data plan.
Now, how about some bonus security flaws? You can also send messages via Siri. The command “Send a message to Paul” will take you through steps to select a contact, select a number and then will record a message and allow you to send – all while the handset is locked.
Cupertino says: Oops.
As a few people have communicated (many thanks), it is possible to disable Siri while the handset is locked (as opposed to disabling Siri altogether). This is not the default configuration (unfortunately!) which means (IMHO) this is still a fairly significant flaw. To disable Siri when the phone is locked, go to:
Settings -> General -> Passcode Lock -> Siri. Set ON -> OFF.
Again, note this will disable Siri when the phone is locked rather than switching Siri off altogether.
Note: I’m not the first to discover this, here’s more reading on the topic:
Tip o’ the hat to my co-contributor, Paul Doessel, for the initial discovery and further testing