Siri security flaw leaves some locked iPhones open to abuse
The number of people who are running iOS 7, either by buying a new iPhone or by downloading the update from Apple, is high. Very high. But shortly after the excitement of the new operating system, a security flaw with Siri emerges -- and it's not one to be taken lightly. Security firm Cenzic reveals details of a vulnerability that enables anyone to bypass the lock screen of an iPhone using Siri.
The voice activated assistant is better known for providing answers to questions and allowing for hands-free operation of iPhones. But Cenzic researchers show that it can also be used for more sinister purposes. You would think that when your phone is locked it should not be possible to do anything, besides answering calls, until you unlock it.
But Cenzic Security Engineers, Abhishek Rahirikar and Michael Yuen found that it is possible to use Siri to use phone functions that really should be inaccessible when a device is locked -- such as the ability to post Facebook and Twitter updates, viewing call records and even send emails. This means that, in theory, should your iPhone be lost or stolen, someone else could use it to post messages on your behalf.
The ability to make calls from a locked phone could be seen as being useful to a legitimate owner of a phone. Cenzic says that the vulnerability demonstrates that "there is a thin line between security and convenience" and has called on Apple to remedy the problem. I've reached out to Apple to get their side of the story, and I'm awaiting a response.
A video has been posted to YouTube showing how the vulnerability works. It may seem that Siri first refuses to post a Facebook status update and then just gives in on the second request, but Abhishek Rahirikar explains that "you need to give right command, and Siri does not think whether the phone is locked or not, it carries out the action. This is true for some commands that we think should have some restrictions."
The problem is not restricted to iOS 7; it is also to be found in iOS 6.1.4.
Check out the YouTube video to see the vulnerability for yourself: