A hacker has found a way to bypass the iPhone 5’s lock screen to get at your contacts.
Ironically, he got in by asking Siri, Apple’s voice-activated “helper.”
In a video posted to YouTube, hacker Sherif Hashim demonstrated tricking Siri into opening the contact list without entering the passcode.
This latest lock screen loophole means that anyone who gets their hands on your iPhone 5 could exploit this bug to make calls, send texts or send emails to anyone in your address book, and see everyone in your contact list.
In the YouTube video, the hacker tells Siri to open “Contacts” from a locked iPhone 5s. When Siri says “you need to unlock your iPhone first,” he hits cancel and says “Call.”
This time Siri asks “whom would you like to call.” By typing a single letter, the hacker bypasses the lock screen to open up a list of the contacts under that letter.
Hashim also said he was able to trick Siri into opening the entire contact list, and others were able to replicate it in testing.
You can watch Hashim demonstrate the Siri lock screen hack below.
Siri-ous lock screen issues
The iPhone’s lock screen is the easiest way to protect your phone from prying eyes in the event that it is lost or stolen – but activating Siri from the lock screen is like having no protection at all.
Siri caused other lock screen problems that needed fixing – it seems like déjà vu all over again – where holding down the home button allowed you to just ask nicely for your phone to bypass its own security.
The bug affects devices running iOS 7.1.1 – the latest Apple release.
There’s already another bug in 7.1.1 that leaves email attachments unencrypted; Apple has promised to fix this bug, but we don’t know when.
And it follows several other lock screen flaws that Apple has fixed in previous versions of iOS 7, including ones that allow anyone to make phone calls or send photos from the lock screen without the passcode.
Siri is undoubtedly a convenience, but having it accessible from the lock screen (the default setting for the iPhone 5) introduces risks without much reward – if you need to make a call, for example, unlocking the iPhone manually seems worth having the extra security.
There’s a better, more secure option we recommend: disable Siri on the lock screen.
You can do that by heading to Settings | Touch ID & Passcode (if you have an iPhone 5 or lower you’ll just see Passcode) | If you have a passcode already set up, you’ll need to enter it here | Scroll to Allow Access When Locked | Toggle off Siri.
Your iPhone has all your most precious personal data, from emails to photos and social media accounts – basically, access to your digital world.
Locking your iPhone with a passcode is worth it if you don’t want to invite thieves and snoops – use a hard-to-guess, strong passcode at that.
If you don’t want people grabbing your stuff off your iPhone, you’ll also want to add data encryption and two-factor authentication for sensitive apps.
Businesses can also enable remote lock and wipe using mobile device management software (like our Sophos Mobile Control).
Image of iPhone lock screen courtesy of Shutterstock.
10 comments on ““Open the iPhone door, Siri!” – Apple’s digital helper coughs up another lock screen hole”
Your instructions for how to disable this are wrong (“You can disable Siri on the lock screen by heading to Settings|General|Passcode Lock and turning off Allow access when locked for Siri.”).
This tweak is not in Settings>General.
Rather go to Settings>Touch ID and Passcode, and disable “Allow Access when Locked” for Siri.
Thanks Liz, this has been fixed in the article 🙂
For my iphone 6s, the settings are lyk that
On 5s, to disable Siri on Lock Screen its Setting/General/Touch ID & Passcode…scroll down to Allow Access When Locked section and turn Siri toggle to off.
Fixed, thanks 🙂
You are incorrect. On the 5s it’s Settings|Touch ID & Passcode| Allow Access When Locked|Siri -OFF
I always have problems with iPhone’s Siri, as my previous 4s was using a flip case and i had a sticker button pasted on it. My Siri keeps getting activated when my phone’s in my pocket, since then I’ve always disabled Siri in lock screen mode.
Although my current 5s shouldn’t give me the same problem since i do not paste any sticker on the button to use the Touch ID feature. I have the habit of disabling the Siri function in lock screen. Now that i can easily unlock the phone with my fingerprint, I’ll continue to disable it even if Apple solves this issue.
Thanks for the write up! Always enjoy reading any IT security article 🙂
If you’ve turned off siri it won’t appear
Also a problem on an iPad: rather than call a person, say Facetime the person.
Don’t buy iJunk problem solved.