Siri offers the latest backdoor into your iPhone - just ask nicely!

Filed Under: Apple, Featured, iOS, Privacy, Vulnerability

We really didn't want to write another Apple iOS 7 story.

With two lockscreen holes and a fingerprint sensor that can be fooled with woodglue, we thought we'd given diehard iPhone fans a horse that was already dangerously high enough for them not to get down from. [I think you have mixed more than a metaphor there, Ed.]

For example, we chose not to cover the fact that the New York Police Department were handing out flyers over the weekend advising residents of the Big Apple to take Even Bigger Apple's advice, and to upgrade to iOS 7 as soon as possible for security reasons.

We're weren't entirely sure that we agreed with New York's Finest there, not least because we'd already gone so far as to suggest that you might want to consider sticking at iOS 6.1.3 until the lockscreen holes were fixed.

But we didn't want to enter a public wrangle with a concept we agree with strongly in principle.

Cybersecurity is important to and for everybody, not only for privacy reasons, but also as an aspect of crime prevention, so it is great to see beat cops trying to get people interested in it.

Hoewever, as you've no doubt noticed, this is another Apple iOS 7 story, and it's yet another tale of woe at the lockscreen.

All about Siri

With Naked Security readers saying to us, "Ha! Did you hear about Siri?", we could hardly let this one go.

We've written before about Siri, Apple's voice control system.

Firstly, we covered Siri because Apple avoided the limitations of the voice-processing power of your handset by uploading your mumblings to its own servers, doing the processing in some stadium-sized data centre somewhere.

The company also retained both your audio data and transcripts of what you said "for a period of time" so that Apple could "generally improve" its products and services.

IBM famously banned Siri precisely because it didn't want unspecified transcripts of employees' musings lying around at Apple, and with all the recent fuss about internet surveillance, that may have been a prescient move.

Secondly, we covered Siri because of lockscreen problems, where locking crooks out of the keyboard and the touch interface didn't stop them asking your phone to bypass its own security.

Seems like déjà vu all over again.

There's a video going around, for example, from a company called Cenzik, apparently showing Siri blocking a Facebook post with a feminine-sounding equivalent of HAL's infamous "I'm sorry, Dave, I'm afraid I can't do that" from 2001, A Space Odyssey.

But immediately afterwards, following some modest Home button "hacking" (a feat that seems to be no more complex that holding the Home button down for a while) Siri complies politely and quickly with an almost identical request.

And a Naked Security commentator suggests:

Industry reaction has been interesting, with one publication actually using the words "access is limited," as though there were little cause for concern, before confirming that the "limitations" apparently don't prevent you sending email, or posting to the user's social networks.

Oh, and you can call anywhere, just as you can with the "emergency call" hole.

What to do?

There's a workaround: disallow Siri from the lockscreen, by heading to Settings|General|Passcode Lock and turning off Allow access when locked for Siri. (Why, oh why, is that not the default?)

You could go one step further, of course, and follow IBM's lead by turning off Siri altogether.

There are some things that HAL's smooth-sounding stepsister just doesn't need to hear.

, , , ,

You might like

32 Responses to Siri offers the latest backdoor into your iPhone - just ask nicely!

  1. Dan · 393 days ago

    What about the "Erase Data" option (erase all data on this iPhone after 10 failed passcode attempts)? Should that be (green) turned on?

    • Richard · 393 days ago

      Thereby opening up one heck of a Denial of Service attack against the legitimate owner...

      • Jean-Marc · 393 days ago

        But if Apple is to be believed, once erased your iDevice can't be reconfigured to someone else's Apple ID, because iOS 7 locks would-be-thieves out of your device until they know your password. So as long as iCloud backup is turned on, then just restore. A workaround sure, and annoying as your little snot nosed sibling but at least your phone is your again....

        Until hackers find out how to deactivate that little security feature (jailbreak anyone?)

  2. Just in the interests of fair and balanced reporting:

    You say.....
    "Firstly, we covered Siri because Apple avoided the limitations of the voice-processing power of your handset by uploading your mumblings to its own servers, doing the processing in some stadium-sized data centre somewhere.

    The company also retained both your audio data and transcripts of what you said "for a period of time" so that Apple could "generally improve" its products and services."

    Google do exactly the same thing with the Android voice engine. Your voice is uploaded, processed and retained briefly.

    Just saying ;-)

    • Paul Ducklin · 393 days ago

      Some quick remarks:

      * This article isn't about Android.

      * The Google actions you describe aren't doing "exactly the same thing" - Apple specifically announced it would hang onto your voice and the transcripts "for a period oif time." So they kept more, and for longer. Indeed, they explicitly retained the data to use again.

      * I don't use the Android voice engine, and my personal approach is that it is best avoided. That's not science but viscera speaking. (I try to remove all APKs that relate to voice processing, since I have a rooted device and can do so, as a way of helping inhibit me from using it at all. I *think* I've eliminated most of it :-)

    • Marc · 393 days ago

      To add to what Paul said, no, Google doesn't do the same thing. Android has local voice processing, it doesn't upload your voice searches to process remotely.

  3. asrugan · 393 days ago

    You should check to see that earlier statements still stand, as IBM's "ban" on Siri was extremely short and limited in nature. The full policy is (and has been since shortly after Siri launched over a year ago) that Siri's use on lock be disabled. It's generally a good idea to enable that feature for everyone who cares about actually locking their phone.

    (comments made are my own and do not reflect the statements or stance of IBM as a whole)

  4. phunkphreaker · 393 days ago

    Wow. Sensationalist much?

    Just lock SIRI on your lock screen.

    • Paul Ducklin · 393 days ago

      I should have mentioned that! Oh. I did. (See above.) I also asked, rhetorically, I suppose, why "Siri off at lock" isn't the default. Got a thought about that?

      There does seem to be a bigger problem than you imply here. The video I mentioned shows Siri refusing to post to Facebook on a locked phone, then posting *without the phone being unlocked inbetween*.

      In other words, Siri seems to be allowing functionality that is supposed to be blocked, rather than taking advantage of a weak configuration.

      So...is a flaw in the lock screen? A flaw in Siri itself? (If the latter, you may be better advised to turn of Siri altogether, rather than just making it harder to get at.)

      • Jack Wilborn · 393 days ago

        Granted, but all of us are probably interested in the 'path' that is being followed by all of the giant companies, Apple and Google.

        Jack

      • Nikki · 393 days ago

        Woah! Passive aggressive much?

        With responses like that to your readers, it's no wonder this is a small-time blog I have never heard of before.

        I certainly wouldn't ever come back if you responded to on of my posts with such a tone. Where's the professionalism?

        • Paul Ducklin · 393 days ago

          Errrrrrrrrr...there's no answer to that :-)

          • It'sMe! · 393 days ago

            I gotta agree with Nikki. I actually thought the troll -like replies were coming from a disgruntled fandroid only to find they were from the author!

        • Colin · 393 days ago

          "small-time blog" that's attached to the sophos domain

        • Anonymous Coward · 393 days ago

          The comment he replied to completely misses the obvious focus of the article, while ignoring clearly posted facts in the article and insulting the author. Comments like that don't warrant professionalism.

        • Bear · 393 days ago

          I'm pretty sure that calling Sophos' blog 'small-time' says more about you than it does about Sophos.

        • T'Pol · 393 days ago

          "Where's the professionalism?"

          I can understand how you wouldn't recognize it. There certainly wasn't any in your post.

    • thedreamingfields · 393 days ago

      Point is - you have to choose to lock Siri on the lock screen. If you can dial numbers etc from a locked phone then shouldnt it be locked as standard? not left up to the user to find out this is a potential issue and do something about it?

    • MiB · 393 days ago

      But on this iPad 3 gen Siri was off by default and wasn't turned on by default with IOS 7. So this doesn't seem to be a by default issue for everyone.

  5. Tim · 393 days ago

    Sophos needs Google, they don't need Apple. Pretty much all the Anti-Apple stories are along the lines of "If you leave a PC switched on and logged in as Administrator ANYONE can do ANYTHING."

    • Lateral · 393 days ago

      I see you forgot to disable the reality distortion field in your Apple product settings.

      L.

      • Anon · 393 days ago

        As Srir is off by default in all installations I've seen you're the one who is at war with reality.

        • Lateral · 393 days ago

          I see you forgot to enable the spell checker in your Apple product settings.

          L.

  6. Jonas · 393 days ago

    It's not the default settings because people usually prefer convenience over security and Apple is giving them what they want. They'll want to have it this way until they're subject to a security breach, in which case they'll say it's scandalous of Apple to not have saved them with better security.

  7. Luis Barandiaran · 393 days ago

    It's not a hole since you can actually turn it on/off, therefore it's a feature... however I do agree it should be ON by default...

    • Alan · 393 days ago

      I don't want to put words in your mouth but don't you mean it's not a "bug" because you can turn it off. Whether it's a vulnerability caused by inappropriate coding or a designed feature it's still a hole.

  8. mellow · 393 days ago

    The last time I saw something like this posted, the user was actually unlocking the 5S by holding down the button to launch Siri, which of course used the user's fingerprints. Are you sure you aren't doing the same? It isn't clear from the picture if it is a 5S...

    • Alan · 393 days ago

      This definitely doesn't need the iPhone to be unlocked. If the iPhone happens to have a bluetooth headset paired with it you can do the same thing without touching the phone. Just turn on the headset, it connects automatically and that triggers Siri to launch.

      Now you can't just ask to read email or open the contact list but ask to send a mail and you can check for addresses.

  9. Quick correction. The company is called "Cenzic," not Cenzik. The article about the vulnerability is on Cenzic's blog:
    http://blog.cenzic.com/2013/09/cenzic-researchers...

  10. foo · 393 days ago

    This appears to be Siri-ous!

  11. Bev Reilly · 393 days ago

    I had my iPhone 5 hacked via Siri from an iPhone 4 which wasn't even working properly - think it was done via iTunes , but really don't know how it was done, that's all I was told apart from having to have the owners home address xx

  12. Easy fix - and workaround - that keeps security -
    Turn on Touch ID for fingerprint - turn off Siri Access for locked phone.
    Hold home button down with entered finger / Siri activates
    Any other finger - get the passcode screen.

    Yes, the default setting should be off. But Apple wants these phones to be as user friendly as possible, and most users don't really care about security.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog