iPhone 4: Siri Security Fail 3


This weekend I discovered a pretty massive security fail on the iPhone 4S.  As you might know, you can set a security pin code to prevent unauthorized use of an iPhone handset.

You might also be aware of the new Siri feature built into the iPhone 4S.  Assuming you have Siri enabled, then out of the box the following is possible (as of time of writing):

You can hold the home button to activate Siri – whether the handset is locked or not.  Once activated, you can direct Siri to perform specific actions – for example, making a phone call!

I’ve tested the following scenarios/commands –

  • “Call Paul” (assuming you have a person named ‘Paul’ in your contacts)
    • Will list matching entries in the Contact List
    • Will dial a selected contact
    • I assume this will worj with any contact
  • “Call <a number>”
    • e.g. “Call 12345”

Interestingly, if you issue the command “Unlock the Phone”, Siri responds with “I’m sorry, I can’t do that”.

So, there’s a pretty blatant hole in the iPhone security model – not only can you dial arbitrary phone numbers with Siri’s help, you can also expose contacts in the contact’s list.

It also appears that Siri will conduct web searches (e.g. “What is the capital of Columbia?”) while the handset is locked – using up your data plan.

Now, how about some bonus security flaws?  You can also send messages via Siri.  The command “Send a message to Paul” will take you through steps to select a contact, select a number and then will record a message and allow you to send – all while the handset is locked.

Cupertino says: Oops.

Update

As a few people have communicated (many thanks), it is possible to disable Siri while the handset is locked (as opposed to disabling Siri altogether).  This is not the default configuration (unfortunately!) which means (IMHO) this is still a fairly significant flaw.  To disable Siri when the phone is locked, go to:

Settings -> General -> Passcode Lock -> Siri.  Set ON -> OFF.

Again, note this will disable Siri when the phone is locked rather than switching Siri off altogether.

Note: I’m not the first to discover this, here’s more reading on the topic:

Further Reading

http://tech2.in.com/news/smartphones/siri-makes-phone-calls-even-if-phone-is-locked/250662
http://mashable.com/2011/10/19/siri-lets-you-make-calls-on-passcode-locked-iphone-4s/
http://www.techradar.com/news/computing/apple/siri-security-flaw-uncovered-1035270

Just-In-Time Credit

Tip o’ the hat to my co-contributor, Paul Doessel, for the initial discovery and further testing


About Rob Sanders

IT Professional and TOGAF 9 certified architect with nearly two decades of industry experience, 18 years in commercial software development and 11 years in IT consulting. Check out the "About Rob" page for more information.


Leave a comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

3 thoughts on “iPhone 4: Siri Security Fail