Why you should tell Siri to stop listening from your iPhone’s lockscreen

Most of us fear having our passwords compromised when we imagine being hacked – but real-life attackers can do plenty of damage with far less sensitive information.

Case in point: The ease with which someone else could use Siri to break into your iPhone, if Apple’s personal assistant has been enabled from your lockscreen.

“Over the years iPhones and iPads have been plagued on many occasions by passcode bypasses,” Graham Cluley, a contributor to Internet security firm BitDefender’s news site, Hot for Security, writes in a Nov. 17 blog post. “It would be nice to think that as we’re now up to iOS 10 that Apple would have prevented such bypasses from working once and for all. But no such luck.”

Granted, in order to break into your iPhone an attacker would need physical access to your device. But should it fall to the wrong hands they would only need to hold down its buttons and ask, “Who am I?”

If enabled, Siri would then helpfully tell the attacker your device’s phone number.

“With that information you’re only a few steps away from accessing the owner’s personal photographs, address book and messages,” Cluley writes:

  1. First they use their phone to call yours.
  2. On your phone they can then click the Message icon and send a reply.
  3. Using Siri, they can then tell your phone to “Turn On VoiceOver,” a built-in iOS feature that provides gesture-based screen reading for visually-impaired users.
  4. They can then return to your phone’s message screen, double-click the bar where contact information is displayed, and immediately click on the on-screen keyboard.
  5. At this point, the attacker can ask Siri to disable VoiceOver, and after typing characters into the top bar they should be able to access contact details, along with the option to create a new contact…
  6. …But instead of adding a new contact, they can select the “Photo” icon, choose “Add Photo” – and suddenly they’ll have access to your photo gallery. By selecting contacts, they can see your past messages.

Step four might take “multiple attempts to get the timing right,” Cluley writes. “But you will know you’ve succeeded when you see the “Photo” icon and other options slide in from the side above the keyboard.”

“So much for it being locked.”

And in case you’re wondering: Yes, the bypass works on iPads too, provided they’re running the latest version of iOS.

Fortunately, you can disable Siri on your device’s lockscreen by going to Settings, choosing “Touch ID & Passcode,” and selecting “Disable Siri on the Lockscreen”.

“Chances are that Apple will release a security update in due course to shut down this latest passcode bypass, but it would be a brave man who placed money on Apple never suffering from a similar security goof in [the] future,” Cluley writes.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Eric Emin Wood
Eric Emin Wood
Former editor of ITBusiness.ca turned consultant with public relations firm Porter Novelli. When not writing for the tech industry enjoys photography, movies, travelling, the Oxford comma, and will talk your ear off about animation if you give him an opening.

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.