Apple watchers have been warning for years that Siri's loose lips can leak secrets from a locked iPhone. Now a new security bug offers a more pressing reason than ever to turn her off on the phone's lockscreen.
Late last week Israeli security researcher Dany Lisiansky spotted another in a growing series of bugs in iOS 7?s lockscreen on the iPhone that allows anyone to bypass the security code or fingerprint reader to access the phone's calling application, contacts, and voicemail. This trick works by using Siri to make a phone call and then triggering a glitch in the phone's Facetime function.
Lisiansky explains in his step-by-step instructions accompanying the video:
1. Make a phone call (with Siri / Voice Control).
2. Click the FaceTime button.
3. When the FaceTime App appears, click the Sleep button.
4. Unlock the iPhone.
5. Answer and End the FaceTime call at the other end.
6. Wait a few seconds.
7. Done. You are now in the phone app.
Here's Lisiansky's video showing the trick in action:
In fact, security-conscious users should have disabled Siri on their lockscreen long ago. By default, and apparently by Apple's design, Siri has long allowed anyone to pick up a locked phone and use voice commands to post to Twitter or Facebook, send emails and text messages, access the user's calendar, make calls and even ask about specific contacts' personal information like addresses and phone numbersincluding that of the phone's owner.
While that's made Siri more convenient, it's also posed a serious privacy problem. Security pundits like Graham Cluley, formerly of the firm Sophos, have warned since Siri first appeared that leaving the feature enabled on an iPhone's lockscreen is little better than leaving a phone unlocked altogether. "Even if an iPhone 4S is locked with a passcode, a complete stranger can come up to your smartphone, press the button and give Siri a spoken command," Cluley wrote back in 2011. "I'm sure you can imagine some of the ways this could potentially be abused."
Luckily the fix for that problem remains a simple one: Disable Siri on the phone's lockscreen. In iOS 7, users can do so by toggling the Siri switch under the "Passcode and Fingerprint" submenu (or simply "Passcode" on phones other than the 5s) on the "General" menu of the phone's settings. If you haven't done it already, Lisiansky's new bug presents a good reason to do it now.
The new Siri security flaw is only the latest to plague iPhones since Apple released iOS 7 earlier this month. One user has already shared with me a method of using iOS 7?s "control center" to access its photos, along with all the associated sharing features including email, Twitter, Facebook and Flickr. Another showed me that anyone can make a call from a locked phone by exploiting a second bug in its emergency calling feature.
Apple rushed to provide a fix for those flaws in a software update last Thursday. But Lisiansky's YouTube video revealing yet another new lockscreen bug was posted just a day later, adding to what may be the buggiest version of iOS yet from a security perspective.
I've contacted Apple for comment, and I'll update this post if the company responds. No doubt it will release a patch for the Siri flaw, too. But users would be wise not to wait: It only takes a few seconds to prevent Siri from spilling your secrets to strangers.
No comments:
Post a Comment