“Open the iPhone door, Siri!” – Apple’s digital helper coughs up another lock screen hole

Siri lock screen bypassA hacker has found a way to bypass the iPhone 5’s lock screen to get at your contacts.

Ironically, he got in by asking Siri, Apple’s voice-activated “helper.”

In a video posted to YouTube, hacker Sherif Hashim demonstrated tricking Siri into opening the contact list without entering the passcode.

This latest lock screen loophole means that anyone who gets their hands on your iPhone 5 could exploit this bug to make calls, send texts or send emails to anyone in your address book, and see everyone in your contact list.

In the YouTube video, the hacker tells Siri to open “Contacts” from a locked iPhone 5s. When Siri says “you need to unlock your iPhone first,” he hits cancel and says “Call.”

This time Siri asks “whom would you like to call.” By typing a single letter, the hacker bypasses the lock screen to open up a list of the contacts under that letter.

Hashim also said he was able to trick Siri into opening the entire contact list, and others were able to replicate it in testing.

You can watch Hashim demonstrate the Siri lock screen hack below.

Siri-ous lock screen issues

The iPhone’s lock screen is the easiest way to protect your phone from prying eyes in the event that it is lost or stolen – but activating Siri from the lock screen is like having no protection at all.

Siri caused other lock screen problems that needed fixing – it seems like déjà vu all over again – where holding down the home button allowed you to just ask nicely for your phone to bypass its own security.

The bug affects devices running iOS 7.1.1 – the latest Apple release.

There’s already another bug in 7.1.1 that leaves email attachments unencrypted; Apple has promised to fix this bug, but we don’t know when.

iphone-5-lock-screen-170And it follows several other lock screen flaws that Apple has fixed in previous versions of iOS 7, including ones that allow anyone to make phone calls or send photos from the lock screen without the passcode.

Siri is undoubtedly a convenience, but having it accessible from the lock screen (the default setting for the iPhone 5) introduces risks without much reward – if you need to make a call, for example, unlocking the iPhone manually seems worth having the extra security.

There’s a better, more secure option we recommend: disable Siri on the lock screen.

You can do that by heading to Settings |​ ​Touch ID & Passcode (if you have an iPhone 5 or lower you’ll just see Passcode) | If you have a passcode already set up, you’ll need to enter it here |​​ Scroll to Allow Access When Locked |​ Toggle off Siri.

Your iPhone has all your most precious personal data, from emails to photos and social media accounts – basically, access to your digital world.

Locking your iPhone with a passcode is worth it if you don’t want to invite thieves and snoops – use a hard-to-guess, strong passcode at that.

If you don’t want people grabbing your stuff off your iPhone, you’ll also want to add data encryption and two-factor authentication for sensitive apps.

Businesses can also enable remote lock and wipe using mobile device management software (like our Sophos Mobile Control).

Image of iPhone lock screen courtesy of Shutterstock.