Skip to main content

Siri opens holes in locked iPhones

Security experts have spotted a few flaws with Siri, the voice recognition system built in to the iPhone 4S, that should have proud owners dashing for the configuration screen.

Siri - originally Siri Assistant, a stand-alone app for all iOS devices, prior to the eponymous company's acquisition by Apple in 2010 - allows users to control their iPhone's functions through simple voice commands.

Simply by pressing a single button - or even just putting the device up to your ear - you can add events into your schedule, set alarms and timers, send emails and text messages, and search the web.

Sadly, it's also possible to do all that even without unlocking the handset thanks to a frankly bizarre default setting chosen by Apple.

"I borrowed a passcode-locked iPhone 4S from a colleague here at Sophos and, with his permission, was able to write an email, and send a text message [without unlocking it,]" warns security researcher Graham Cluley. "If I had wanted to I could have meddled with his calendar appointments too."

The problem stems from Apple's decision to allow quick access to Siri's functions by enabling it on the lock screen. As a result, a single key press allows users to give Siri commands without knowing the passcode used to lock the handset.

It's a serious security flaw, but one which is thankfully easy to fix: knowing that this could be a problem, Apple has included an option to disable Siri when the phone is locked with a passcode. Simply browse to Settings, General, and Passcode Lock, flick the Siri option to 'off,' and you're secure.

The issue, however, is with the default setting: with the vast majority of iPhone 4S users unlikely to bother checking the settings, there is going to be a huge number of iPhone 4S handsets out there that can be used even when in the locked state thanks to Siri.

A smaller security issue, but one which is potentially more embarrassing, has been discovered in Siri's ability to refer to the iPhone's owner by a nickname. While you can set any name you want for Siri to use in conversation, that name gets saved to your Contact Card.

That Card, (opens in new tab) has noticed, is frequently shared as a virtual business card via email or MMS, and is sent complete with your chosen nickname.

Sadly, there is not - at present - a way to disable that particular functionality, beyond choosing a less embarrassing nickname. monitors all leading technology stories and rounds them up to help you save time hunting them down.