Siri Allows iOS 7.1.1 Lock Screen Bypass to Show All Contacts

The Intego Mac Security Blog is reporting a lock screen setting in iOS 7.1.1, perhaps a flaw, that allows someone in possession of a locked iPhone to trick Siri into displaying the owner's complete Contacts list. This may not be what the owner intended.

Graham Cluley, an iPhone security expert, has posted a note about how a neurosurgeon and part-time security researcher has discovered a potentially confusing iPhone setting. A video has been made that demonstrates the operation.

The ostensible notion here is that when the iPhone is locked, it should not ever disclose extensive personal information. However, if Settings > Touch ID & Passcode > Allow Access When Locked > Siri = ON, access to the complete address book is still possible by speaking to Siri in a certain way. The iOS setting could be seen as ambiguous about whether one verbally named person or the entire list should be accessible.

Mr. Cluley mentions that the owner may actually want this setting when, for example, it isn't convenient to handle the iPhone and enter a password but Siri's access to the contacts list is desired.

iPhone users who don't want any access to their iPhone allowed when it's locked should go to Settings > Touch ID & Passcode > Allow Access When Locked and turn off all three settings: Siri, Passbook and Reply with Message.