Providing users who aren’t overly concerned with privacy an option to forgo certain protections in favor of convenience is a good thing. Enabling those less secure conveniences by default, however, is not a good thing.
Several security issues have been discovered that were brought about by the fact that Siri and other iOS conveniences are enabled by default when iPhones are locked. The biggest example, perhaps, was discovered in September last year: By default, anyone who finds a lost iPhone or steals an iPhone can make it impossible for owners to recover the lost handset in just a few seconds.
And now, another big flaw has been uncovered.
As noted in a recent post on NBC, Egyptian programmer Sherif Hashim has discovered a flaw that allows anyone and everyone to access a user’s contact list even when his or her iPhone is locked. The issue is confirmed to be present even in Apple’s latest iOS 7.1.1 software.
Hashim posted a video to illustrate the flaw. In it, he shows that the device is locked and then attempts unsuccessfully to access the handset’s contact list using Siri. After canceling his initial command, he speaks a different command — “Call” — to initiate a voice call while the handset is locked. Siri then asks, “With whom would you like to speak?” and presents Hashim with the phone’s full contact list even though the device is still locked.
The report notes that no other features on the phone are accessible using this method.
If you would like to stop your phone from making your entire contact list available to anyone with a voice, go to Settings > Passcode and disable Siri under the “Allow access when locked” heading.
Hashim’s video is embedded below.