Siri Allows iOS 7.1.1 Lock Screen Bypass to Show All Contacts

| News

The Intego Mac Security Blog is reporting a lock screen setting in iOS 7.1.1, perhaps a flaw, that allows someone in possession of a locked iPhone to trick Siri into displaying the owner's complete Contacts list. This may not be what the owner intended.

Graham Cluley, an iPhone security expert, has posted a note about how a neurosurgeon and part-time security researcher has discovered a potentially confusing iPhone setting. A video has been made that demonstrates the operation.

The ostensible notion here is that when the iPhone is locked, it should not ever disclose extensive personal information. However, if Settings > Touch ID & Passcode > Allow Access When Locked > Siri = ON, access to the complete address book is still possible by speaking to Siri in a certain way. The iOS setting could be seen as ambiguous about whether one verbally named person or the entire list should be accessible.

Mr. Cluley mentions that the owner may actually want this setting when, for example, it isn't convenient to handle the iPhone and enter a password but Siri's access to the contacts list is desired.

iPhone users who don't want any access to their iPhone allowed when it's locked should go to Settings > Touch ID & Passcode > Allow Access When Locked and turn off all three settings: Siri, Passbook and Reply with Message.

Sign Up for the Newsletter

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday.

Comments

Khürt Williams

The feature is behaving exactly as expected.  It can be used to dial a number of send a text message while driving.  It’s meant for hands free use.  It’s not a security flaw per se but a matter of users wanting things that have unintended consequences.  I personally think nothing—not even the camera—should be accessible from a locked phone screen.

Melissa Davis

I agree with Khürt. Not a flaw but a feature. It depends on your personal perspective. I wrote about this in depth last month after one of our iPhones had been stolen and there’s more to it than just contacts. In case you’re interested: http://www.themacmommy.com/2014/04/dont-let-your-iphone-spill-beans.html

John Martellaro

As I pointed out in the article, this is, after all, an iOS setting. However, some users may not appreciate the scope of what another person, in possession of the iPhone, can do when that setting is turned on.

Khürt Williams

Hi John, I agree with you.  Users often don’t understand the consequences of the choices they are making.  Perhaps instead of teaching kids to code, schools should be teaching logic and deductive reasoning.

Lee Dronick

  schools should be teaching logic and deductive reasoning.

Heaven forefend! smile

Seriously they could do both, humanities too.

macnotesguy

Schools teaching kids to code, are teaching logic and deductive reasoning; it is, at least indirectly, a required part of successful coding.

mactoid

OMG! You’ve got to be KIDDING!?!?

Someone can get SIRI to accurately respond to voice commands? I’m impressed!

ibuck

I wish iOS allowed users to require a password for specific apps, like Contacts, Phone, Mail, Messages, Notes, etc. even if you had no password for the device.

Pheap Sopheaktra

here’s how to by pass ios 7.1.1 lock screen
https://www.youtube.com/watch?v=FEql_QO22jY

Log-in to comment