Feeds

Sweet murmuring Siri opens stalker vulnerability hole in iOS 7

'Siri, hand over my contacts and history now…'

SANS - Survey on application security programs

It has not been a good week for Apple on the security front, and there's no relief in sight after an Israeli researcher found a way to access a locked iPhone's contacts and messages database using Siri.

In a YouTube video, Dany Lisiansky showed how a locked phone running iOS 7.0.2 can be opened by using Siri's voice control to make a call to an attacker's system. This "feature" then allows an attacker to access the target handset's Phone application, giving access to call history, voicemail, and entire list of contacts by following seven steps:

1. Make a phone call (with Siri / Voice Control).

2. Click the FaceTime button.

3. When the FaceTime App appears, click the Sleep button.

4. Unlock the iPhone.

5. Answer and End the FaceTime call at the other end.

6. Wait a few seconds.

7. Done. You are now in the phone app.

"It's easy to imagine how this vulnerability could be exploited by a business rival or a jealous romantic partner," commented security watcher Graham Cluley.

Cupertino has made security a big selling point for its latest mobes, even going as far as recruiting the New York Police Department to hand out leaflets urging Apple users to upgrade to iOS 7. But the handset has also been targeted by researchers and found wanting, not to mention unsettling to the stomach.

It took the Chaos Computer Club only three days to defeat the new iPhone's fingerprint scanner, using a fingerprint printout and some latex wood glue. Chinese Apple users showed one possible way around this – using their nipples instead – but that's unlikely to take off for most users.

Shortly afterwards, attackers found a way to bypass the lock screen using Apple's Control Center, albeit with some nifty fingerwork. That led to Tim Cook's security engineers spending a few sleepless nights, and they pushed out an update on Thursday – but a day later Lisiansky found a way to crack the update.

With over 200 million Apple users now using iOS 7, with no way to remove the upgrade, it looks like there could be another update in the pipes soon if iPhone users are going to have their privacy protected.

In the meantime, users are advised to turn off Siri's ability to work while the handset is locked by going launching the Settings app, tapping General > Passcode Lock, turning Passcode on if it isn't already, then toggling Siri off under Allow Access When Locked. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.