News:

A Siri 'Feature' Makes Personal Information Accessible from a Locked iPhone

If you follow tech, you're probably familiar with Siri, Apple's personal voice assistant, which has been integrated heavily into iOS ever since iOS 5. But you might not have known that Siri is capable of performing some tasks when the iPhone is in a locked state. The default state of iOS is to allow access to Siri from the lock screen, most likely for the convenience of hands-free access to the phone.

This has led to more than a few lock screen bypass issues in iOS 7 (multiple times), iOS 8, and iOS 9 (multiple times)—and iOS 10 isn't any better.

In the latest iOS version, Siri continues to be accessible from the lock screen and she's giving out too much information! How much is too much? Any. Personal information can be used for many nefarious things, but especially social engineering.

From the iPhone lock screen using Siri, I was able to play back and send text messages...

Let's see what this person is up to.

And make calls and search the web.

Some commands such as "Launch Chrome" are met with a request for my credentials, while other commands such as "Give me directions home" are processed and launched, including "Show me my schedule." In a few minutes, I was able to quickly collect a lot of data from my locked iPhone.

MakeUseOf was able to pull up recent calls... something I didn't even think to try. And there are probably many more things you can do with Siri from a lock screen.

If you want to disable this functionality, it's fairly straightforward. First, navigate to your iPhone's Settings, scroll down to Siri, select Siri, then disable Access on Lock Screen.

This could be considered a feature for when you are driving and cannot text or otherwise hold the phone in your hand. For me, it's a bug. The screen is locked for a reason. If unauthorized users can access my messages, send messages, make calls, and view my home address, it's a problem. Many users trust the people in their contacts list and wouldn't think twice about clicking a link sent to them by someone they trust, or revealing personal information to people they trust. If that person isn't really them, but someone talking to Siri through the lock screen, that's a defect in my book.

There maybe more commands available. I'd love to see the Null Byte community have a look at this. Maybe there's another lock screen bypass hiding in there!

Cover image by Norman Kin Hang Chan/123RF; Screenshots by Barrow/Null Byte

1 Comment

Would be great if this was a tut.

Share Your Thoughts

  • Hot
  • Latest