Siri offers the latest backdoor into your iPhone – just ask nicely!


We really didn’t want to write another Apple iOS 7 story.

With two lockscreen holes and a fingerprint sensor that can be fooled with woodglue, we thought we’d given diehard iPhone fans a horse that was already dangerously high enough for them not to get down from. [I think you have mixed more than a metaphor there, Ed.]

For example, we chose not to cover the fact that the New York Police Department were handing out flyers over the weekend advising residents of the Big Apple to take Even Bigger Apple’s advice, and to upgrade to iOS 7 as soon as possible for security reasons.

We’re weren’t entirely sure that we agreed with New York’s Finest there, not least because we’d already gone so far as to suggest that you might want to consider sticking at iOS 6.1.3 until the lockscreen holes were fixed.

But we didn’t want to enter a public wrangle with a concept we agree with strongly in principle.

Cybersecurity is important to and for everybody, not only for privacy reasons, but also as an aspect of crime prevention, so it is great to see beat cops trying to get people interested in it.

Hoewever, as you’ve no doubt noticed, this is another Apple iOS 7 story, and it’s yet another tale of woe at the lockscreen.

All about Siri

With Naked Security readers saying to us, “Ha! Did you hear about Siri?”, we could hardly let this one go.

We’ve written before about Siri, Apple’s voice control system.

Firstly, we covered Siri because Apple avoided the limitations of the voice-processing power of your handset by uploading your mumblings to its own servers, doing the processing in some stadium-sized data centre somewhere.

The company also retained both your audio data and transcripts of what you said “for a period of time” so that Apple could “generally improve” its products and services.

IBM famously banned Siri precisely because it didn’t want unspecified transcripts of employees’ musings lying around at Apple, and with all the recent fuss about internet surveillance, that may have been a prescient move.

Secondly, we covered Siri because of lockscreen problems, where locking crooks out of the keyboard and the touch interface didn’t stop them asking your phone to bypass its own security.

Seems like déjà vu all over again.

There’s a video going around, for example, from a company called Cenzik, apparently showing Siri blocking a Facebook post with a feminine-sounding equivalent of HAL’s infamous “I’m sorry, Dave, I’m afraid I can’t do that” from 2001, A Space Odyssey.

But immediately afterwards, following some modest Home button “hacking” (a feat that seems to be no more complex that holding the Home button down for a while) Siri complies politely and quickly with an almost identical request.

And a Naked Security commentator suggests:

Industry reaction has been interesting, with one publication actually using the words “access is limited,” as though there were little cause for concern, before confirming that the “limitations” apparently don’t prevent you sending email, or posting to the user’s social networks.

Oh, and you can call anywhere, just as you can with the “emergency call” hole.

What to do?

There’s a workaround: disallow Siri from the lockscreen, by heading to Settings|General|Passcode Lock and turning off Allow access when locked for Siri. (Why, oh why, is that not the default?)

You could go one step further, of course, and follow IBM’s lead by turning off Siri altogether.

There are some things that HAL’s smooth-sounding stepsister just doesn’t need to hear.