Adding to the growing list of security vulnerabilities and work arounds being discovered for iOS 7 is the fact that the lock screen can easily be bypassed by simply using Siri.
Siri is enabled by default in iOS 7, and by pressing the home button you can activate Siri and ask her all sorts of questions and issue commands.
No need to bring out the waterboard, because Siri sings like a canary. Here are a few questions I grilled her on that she not only provided answers for, but also at times collaborated with me in my crimes:
- What is _____’s phone number?
- What is _____’s address
- Where is my next appointment?
- What is my address?
- Check my voicemail. (shows who called but requires unlock to listen…whew!)
- Show my recent calls.
- Tell ____ ‘You are stupid’
- Give me directions home
- Post to Facebook ‘I have been held ransom, please send money’
- Post to Twitter ‘Send me $50,000 in a brown paper bag’
On the positive side Siri would not let me check voice-mail or email unless I unlocked the phone. However I was able to post to my social media accounts, send text messages, get contact information such as phone number and address, and identify who has called recently.
I could also enable airplane mode on the device which will disable Siri, however it will also disable Find My iPhone and the victim’s ability to wipe the device, giving you more time to find ways to bypass the lock screen.
Even if a phone was not stolen and simply left on a table or “borrowed” by someone, a great deal of damage could be done. The best thing to do to mitigate the risk is to disable Siri from the lock screen:
- General -> Passcode Lock (Allow Access When Locked).
- Vulnerability: Who is Watching Your IP Camera?
- Vulnerabilities: It’s Time to Review Your ReviewBoard
- How Risky is Google Apps for Your Business?
- Why Cross-Site Scripting Always Matters
P.S. Have you met John Powers, supernatural CISO?
Title image courtesy of ShutterStock