Sophos Cloud Optix
Apple’s new “Siri” feature, the voice-activated personal assistant built into the iPhone 4S, leaves owners’ spanking new smartphones partially unguarded.
Those of us who work in the security arena have often banged on about the importance of securing your smartphone with a password or passcode to prevent unauthorised access.
Most mobile phone manufacturers have recognised that as so many people use their smartphones to manage their their diaries, their private communications, and their social lives, it’s good to have some form of security.
Which leaves Apple with some egg on its face regarding Siri.
Even if an iPhone 4S is locked with a passcode, a complete stranger can come up to your smartphone, press the button and give Siri a spoken command.
I borrowed a passcode-locked iPhone 4S from a colleague here at Sophos and, with his permission, was able to write an email, and send a text message. If I had wanted to I could have meddled with his calendar appointments too.
All without having to enter the passcode. I’m sure you can imagine some of the ways this could potentially be abused.
Fortunately there’s an easy way for security-conscious users to disable Siri when their phone is locked.
Enter “Settings/General/Passcode Lock” on your iPhone 4S, and make sure that the “Siri” option is set to “Off”.
That way Siri cannot be used when the smartphone is locked with a passcode. Which seems the sensible option to me in most circumstances.
(In the case of the colleague’s iPhone 4S that I borrowed, I might also suggest that he switch from having a “simple” numeric passcode to a more complex version too).
What’s disappointing to me though is that Apple had a clear choice here.
They could have chosen to implement Siri securely, but instead they decided to default to a mode which is more about impressing your buddies than securing your calendar and email system.
It’s not as though Siri impressed me enormously anyway during my brief play with it. 30% of the time it misinterpreted what I was trying to say.
Mobile security is a serious subject of course, and Sophos provides a free Mobile Security Toolkit to help you raise awareness about mobile security risks amongst your staff.
Check out the following promo video Sophos made which emphasises the importance of having a passcode on your smartphone:
(Enjoy this video? Check out more on the SophosLabs YouTube channel and subscribe if you like.)
Unless security is your business, as is the case with Graham, you’re company is always going to put your customer’s convenience ahead of security. I don’t agree that this is as big of an issue as it seems from this article considering that there IS a setting to turn Siri off when locked. It would be more of a concern if there was no way to do so.
Even Graham has to figure, if you think about it for a moment, how many customers complained about this “security flaw” (I’m guessing a relatively small number) compared to how many people would have complained (just about everyone outside of the security biz) if they couldn’t use Siri from the locked screen.
I am thinking about purchasing the iPhone 4S and I will be sure to disable Siri when my phone is locked if I choose to get one. Considering I am reading this article, you’d have to imagine that I am somewhat pro-security myself. But as I’m sure we can all agree. People like Graham and I are the exception.
This is really a non-issue because it gives people the option to disable siri when turning the passcode on. To be honest I think you’re looking a little too hard for problems…
Isn’t having insecure defaults usually a problem? It seems like it would have been much more sensible to make it secure by default.
Wow. How is it a non-issue when the default is 'insecure'? In this day and age, that's inexcusable.
It wouldn't be an article by Sophos without a plug for their own software by the end.
I'll respect you more when you stop taking hard bites into Apple only to promote your own virus-scan software in the end.
Hmm.. that's not a plug for Sophos's software at the end of the article.
It's a link to a bunch of resources that IT managers can use to educate their workforce about mobile security – things like having proper passwords on your smartphone, data encryption etc.
Check out the link – you might be surprised.
Graham, the issue for me is that you wrote an uninformed article. There is an option when you set your passcode to make Siri inoperable when the phone is locked……that fact pretty much renders your article moot.
Thanks,
Brad
No, it doesn’t. It would have, if Apple clearly informed you that their update contained a security risk that you could disable if you chose to do so. But they don’t. They simply leave you with an insecure default, which you’re probably never going to find out about – unless you read this article, or one of the others that popped up following this one.
Is it April Fool's Day already?
Apple has “egg on its face?” Please. They obviously considered the security implications and built in the additional passcode option as a solution.
Seems like you’re trying to drum up page views with alarmism.
What a retarded default setting.
Typical Apple. Impress your buddies first, security second. This has and will continue to be the way they do things and the form over function crowd will continue to ooo and aww over every minute of it.
This isn't typical Apple, this is typical marketing, for any company. Why make your most talked about feature harder to access? I actually ran into someone I knew that got an iPhone 4s and told them about the fact that Siri is accessible even if the phone is locked. You know what their reply was "Of course it is, it defeats the purpose of having it if I have to unlock my phone first". I told them they could disable Siri from the lock screen if they wished and they had no interest whatsoever. Sounds to me that Apple got it right, they know what their customers want, even if that's not the most secure option. And I'll say it again, it's not like they shipped it out with no option to disable Siri when locked, that option does exist.
Quote:
"It's not as though Siri impressed me enormously anyway during my brief play with it. 30% of the time it misinterpreted what I was trying to say."
Geez, give me a break. It's a Beta version. There are bound to be kinks and bumps, and frankly I don't see any of the others doing anything better at this point. Voice recognition software is still in its infancy, and I think this is a pretty good first try. I'll admit to being frustrated to no end by the Voice Control feature on my iPhone 4, but it's not the end of the world.
Oh, and by the way, have you tried "Dragon Naturally Speaking" – if you want to see a 30% error rate, Dragon will meet and beat that any time. I might as well be speaking Yiddish for all the help that application is to me.
Sophos, it'd be awesome if you'd credit your sources.
http://www.macnotes.net/2011/10/16/ios-5-security…
Thanks for sharing the link – but I've never been to that website before, so hardly surprising I didn't credit it. 🙂
The description made in the article is highly inaccurate I believe that the author doesn't own a iPhone 4S
it should mention that the 4S, just after activation, explicitly suggest you to create a passcode. When you do so it will ask if you want to allow Siri to work even with passcode on. Only if you answer yes it will work.
So the owner of the 4S mentioned in the article specifically allowed Siri to work even if locked.
Please grab an iPhone 4S and check it before writing inaccurate reports.
I too couldn't believe that the very simple fact that you are offered the choice as soon as you activate the 4S has been totally ignored. Users are explicitly offered a choice of each option.
I'd consider myself very security aware but chose to let Siri respond when my phone is locked purely because that is often when he/she/it is most useful.
If my iPhone was a business supplied one – through which sensitive data could be accessed – things might be different. But in such cases I would expect any IT department worth its salt to alert their users to the issue and provide guidance and/or policies as required.
I feel that Graham is right. The default should be that you must enter a password to use Siri when your phone is locked and if the owner of the phone did not like this, then he could change the setting to be able to use Siri without a password when the phone is locked. Better to be safe than sorry.
Seen days before here : http://www.securityvibes.fr/menaces-alertes/siri-…
It would make it hard to use hands-free (e.g. Bluetooth headset) if you had to enter a passkey first !
In the UK you would get pulled over by the cops for touching the phone when driving.
While the default setting preference can be debated, this is a completely moot article. Siri can be easily disabled from access through the lock screen. All you have to do is push one button in the settings. Get real people.
Here's why someone might want Siri active even with a locked phone. Many juridictions now ban the use of cell phones other than in a handsfree mode. If you have to pick up the phone and enter an unlock code while driving just so you can make a call with your bluetooth headset, then you're breaking the law.
A better alternative would be to leave Siri active, but allow an audio password to activate it (perhaps with some voice printing?)
If one has a locked iPhone 4s and some one calls can you answer the phone without unlocking it?