Siri-ous vulnerability in default iPhone 4s configuration

So like many people, I got an iPhone 4s shortly after launch. It wasn’t totally gadget lust, I have iPhone users to support at work, and they have started upgrading to the 4s (deployed the first one today).

Turns out it’s a good thing I got one a couple of weeks before any of my users.

I keep my phone locked with a passcode, but with Siri enabled, that doesn’t mean the phone is secure.

There is a setting in iOS 5 phones with Siri enabled (at this point only the 4s) that allows Siri to be accessed while the phone is locked. This is a feature not a bug. With this feature enabled anyone who picks up your locked iPhone 4s can send email, text messages, make calls, even screw with your calendar. The potential for shenanigans is only limited by how well the unauthorized user knows Siri.

I was able to set an alarm for 3AM with the phone locked, so I can only imagine what someone that really knows how to use Siri could get up to.

Unfortunately Apple decided to set this to enabled by default. Apparently impressing your buddies is more important than securing your phone, even if you thought you had secured your phone by enabling a passcode lock.

Fortunately it’s a setting, so you can disable it. To do so, go to Settings>General>Passcode Lock, and turn the Siri setting to Off.

This means that you can’t use Siri when your phone is locked, but then neither can anyone else. I’m disappointed that Apple hasn’t yet made taking security seriously a priority, it would have been so easy to avoid this potentially serious security breach.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: