Feeds

back to article Sweet murmuring Siri opens stalker vulnerability hole in iOS 7

It has not been a good week for Apple on the security front, and there's no relief in sight after an Israeli researcher found a way to access a locked iPhone's contacts and messages database using Siri. In a YouTube video, Dany Lisiansky showed how a locked phone running iOS 7.0.2 can be opened by using Siri's voice control to …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

Why would you even

Have that as an option?!

'so, everyone is agreed. Our default position will be no opening the prison gates. But anyone outside is free to talk to the Inmates'.

3
0
Silver badge

Apple users showed one possible way around this – using their nipples instead – but that's unlikely to take off for most users.

Disappointed.. hey if you saw the lasses where I work.

1
0
Silver badge
Coat

@ obnoxiousGit

I don't know if I'm disappointed about this. I'm not sure I'm ready for fishnet T-shirts to become standard office wear, even on casual Fridays.

Mines the one with the.....well, you'd rather not know.

2
0
Anonymous Coward

poorly designed OS creaking at the seams

Every week a new iOS security problem. An OS that's creaking at the seams. As Android marches forward, Apple hack more things in, in a lame attempt at keeping up.

8
11
Anonymous Coward

Re: poorly designed OS creaking at the seams

" As Android marches forward"

Are you perhaps suggesting that Android is secure? If so, excuse me whilst I smirk.

Smirk.

14
6
Silver badge

Re: poorly designed OS creaking at the seams

Are you actually reading the stories?

Here's what users want a phone to do: (i) lock itself if left unattended; and (ii) be usable hands free, such as in cars.

The 'security' problems with iOS are nothing to do with the technical underpinnings. They're the direct result of the inherent conflict of those two goals. There's no hint of creaking internals whatsoever.

3
6
Bronze badge

Re: poorly designed OS creaking at the seams

"(i) lock itself if left unattended; and (ii) be usable hands free, such as in cars."

Why do you think there is an inherent contradiction between these two goals? How difficult is it to disable automatic locking when the phone is paired with a bluetooth device such as a hands-free kit in your car (where I live it is illegal to use a mobile while driving without such kit, which is a good idea, IMHO)? There is an app for Android, at least, that does it. It should be built-in, not an add-on, and I would very much like an option to only do it when paired with one of the specific devices that I could configure, but it is usable even without these enhancements. When get into my car I switch BT on, and the screen lock is disabled.

My Android phone actually has a "driving mode", but its functionality is basically useless, e.g., disabling screen lock is not a part of it. The mode is not simple to switch on/off - it is hidden behind several menu levels. There is no reason, however, why proper design should not let a user tell the phone, "I am driving now, change the settings/profile accordingly: switch bluetooth on, disable screen lock, read out arriving text messages, etc." More generally, switching between "profiles" (switch BT on while driving, switch Wi-Fi on when at work, etc.) would be useful as a design feature.

Both iOS and Android are very poorly designed, IMHO (I have yet to see WP in the wild, so no comment). They are designed without any thought devoted to what the phone should do as a system. Rather, the mindset is, "someone will write an app for that". Obviously, the various apps do not work (together?) very well, which renders "creaking at the seams" a reasonable opinion. Your example of 2 conflicting requirements is perfectly valid, but the conflict is not "inherent" - it is due to lousy design. (In particular, using the phone while driving is not designed in at all - that would require, among other things, calendar and contacts and dialer and maps and GPS to be integrated into a single system, in addition to "profiles").

0
0
Bronze badge

Re: poorly designed OS creaking at the seams

if you have the nokia car kit with a compatible windows phone, will pair via BT (like a normal phone) and NFC automatically toggles the phones car mode when you place the phone in the holder - oh, it also charges wirelessly too while there!

Car mode changes the ring profile and also replaces the normal start screen with a few giant buttons to operate a cut down UI with favourites based addressbook, navigation and music....

0
0
Silver badge

Re: poorly designed OS creaking at the seams (@TFM)

If the phone doesn't lock when paired with a hands-free device then the phone of anyone with a bluetooth headset is permanently unlocked. So as soon as one of those people leaves their phone on the bus, on their desk, is pick-pocketed, etc, the story would be that a security vulnerability had allowed their contacts/email/the rest to be accessed.

I also think Siri is Apple's attempt to integrate calendar, dialler, maps, GPS, etc. I'm don't think it's a good implementation but it's an attempt, at least.

Regardless, answer this: are there — as the poster suggests — any grounds whatsoever to conclude that because one of the supplied, first-party applications displays information when we as users wouldn't want it to, the operating system must be "creaking at the seams"?

0
0
Silver badge
Facepalm

Siri.....find...Chinese...restaurant....

(Siri voice) confirmed, all contacts broadcast to China....

Siri!...No!!

(Siri) Correct, all contact sent now.....

Argh!! Siri, WHY???!!!

(Siri) Because all your contacts R belong to me.......

4
0

Re: Siri.....find...Chinese...restaurant....

That's really the best you can do? The original has "are belong to us." If you just changed the casing from "us" to "US", you'd have a much more apt line of text. It could be improved in other areas too, but this is a glaring point.

2
0

Wait... if you have to unlock the phone, surely you're already going to be able to access contacts anyway?

1
4

I just love apple security flaws.

But don't you have to be connected to wifi to use facetime? (i could be wrong but i was under the impression that it usually asks you to connect to wifi) Going off the basis that you need wifi, for someone to dupe you in this way they would have to steal your phone from home or work and perform this task on site... Seems a bit mission impossible to me. But then again office pranks are fun.

0
0
Silver badge

Re: I just love apple security flaws.

No — that was true across the board when the feature launched but Apple lets the individual carriers dictate it. E.g. AT&T announced in May that they'd be allowing access by the end of the year (source: http://www.theverge.com/2013/5/20/4348672/att-will-allow-all-video-chat-apps-on-its-network-by-end-of-2013 ) and various individuals started reporting access somewhere around mid-June. I've no idea if it's nationwide yet but if it isn't then it will be soon. Other networks no doubt have similar plans.

0
0
Silver badge

This is a lot like the hole they just plugged for the lockscreen

It seems Apple needs to add a global variable "screenlocked" to iOS and check it in a few more places or something. People are obviously checking every possible permutation to get from the lockscreen into the phone, and rather than plugging up each combination one by one, I hope they take the time to make a proper fix that addresses them all rather than see another one pop up after 7.0.3 is released to fix this one on Friday...

0
0
Anonymous Coward

Re: This is a lot like the hole they just plugged for the lockscreen

Well, you're saying two things. First you describe the implementation they seem to have now--a global variable, or whatever, that gets checked a bunch of places, and sometimes not in the places where it should be. And then you say they should make a proper fix.

I think the proper fix is probably to have some kind of watchdog process running if the screen is locked and checking to see if anything is going on that isn't allowed, i.e., have a small list of activities that are allowed, and start killing processes if they aren't on the whitelist.

1
0
Anonymous Coward

Re: start killing processes if they aren't on the whitelist.

Wow, Apple are so stupid. They should have asked the anonymous internet users how to design their OS. What could possibly go wrong?

1
0

Photos too

Watching the video he was able to attach a photo to the message he was going to send. That means being able to browse the photos on the device too.

3
0
Bronze badge

Erm, to use the vernacular of my own wife:

"Uhhh, Duhha!"

As I trained her partially to information security, need one say more?

Since nobody has managed to yet hack, phish or otherwise pilfer her data and accounts?

0
0
Silver badge

need one say more?

Not until one learns how to construct a coherent post, no.

1
0
FAIL

This was identified 2 years ago when the 4s / siri was launched

http://www.theage.com.au/it-pro/security-it/iphone-4s-security-hole-uncovered-20111019-1m6xt.html

Nice to see they did f'all about it other than the expand the crack

0
0

I am Shocked! Shocked! that Siri will take instructions from any voice instead of just the owner .....

0
0
Bronze badge

Here is an idea...

Dont use Siri - its fucking hopeless anyway, works fine in the house when there is no noise and i have my hands available anyway, get in to a place where you really need to use it in anger and the conditions are not perfect, not a chance in hell. I try it for a week, its now disabled never to be heard from again.

1
0
Meh

not quite as bad as it seems

firstly, to get Siri to call someone, you need to know that the person you are trying to call is stored in the contacts. Yeah, i suppose you could try "siri, call Mum" but you can't guarentee that will work.

secondly, the number you're calling from step one, has to have facetime available, so either another iOS device, or a Mac.

Lastly, you need access to that other device to be able to end / cancel the facetime call.

So, yeah, while possible, not exactly plausable. It's not like i can walk through an office, grab someones iPhone off their desk, and use this to get access to their phone / contacts.

0
0
Anonymous Coward

Is it April already?

The instructions for this 'exploit' include "4. Unlock the iPhone.". If you can do that, what's the point of all the Siri/facetime voodoo nonsense?

0
0
This topic is closed for new posts.