iOS lock screen security flaw

Discussion in 'iOS 8' started by X-X, Sep 22, 2014.

  1. X-X, Sep 22, 2014
    Last edited: Sep 24, 2014

    X-X macrumors 6502

    Joined:
    Aug 22, 2014
    #1
  2. ps3zocker macrumors regular

    Joined:
    May 3, 2012
    #2
    If you don't want that, just disable Siri for the lock screen. Fixed.
     
  3. Julien, Sep 22, 2014
    Last edited: Sep 22, 2014

    Julien macrumors G4

    Julien

    Joined:
    Jun 30, 2007
    Location:
    Atlanta
    #3
    Also how does "everyone" get a list of Contacts/info to show without knowing the contacts name?

    EDIT: I have tried several queries and I can't get contact info to show without knowing the contact info.
     
  4. PhiLLoW macrumors 6502

    Joined:
    May 31, 2014
    #4
    It's always funny how some people complain about the fact that Apple doesn't give us freedom/choices...but when they do there is always someone who is talking about security issues or similiar.


    You can disable siri in the lockscren by going to Settings => code => enable use when device is locked => siri => 0
     
  5. X-X thread starter macrumors 6502

    Joined:
    Aug 22, 2014
    #5
    I expected that comment ps3zocker, thank you. /s

    Problem is 99% of users don't realize that this is possible by default.
     
  6. Ntombi macrumors 68040

    Ntombi

    Joined:
    Jul 1, 2008
    Location:
    Bostonian exiled in SoCal
    #6
    Disable Siri on lock screen. Problem solved.
    That's not the crux of your OP. You intimated that it wasn't fixable. It is. Whether most people find it a problem and don't know how to change it is a different issue.
     
  7. Julien macrumors G4

    Julien

    Joined:
    Jun 30, 2007
    Location:
    Atlanta
    #7
    What are you asking that is showing Contact info????
     
  8. X-X, Sep 22, 2014
    Last edited: Sep 22, 2014

    X-X thread starter macrumors 6502

    Joined:
    Aug 22, 2014
    #8
  9. antiprotest macrumors 65816

    antiprotest

    Joined:
    Apr 19, 2010
    #9

    I agree. He backpedals.
     
  10. Julien, Sep 22, 2014
    Last edited: Sep 22, 2014

    Julien macrumors G4

    Julien

    Joined:
    Jun 30, 2007
    Location:
    Atlanta
    #10
    Could be better but you can't get Contact info unless you know the persons name. While someone posting to Facebook and adding info to Notes could be inconvenient they are hardly a security issue and more of a prank potential.

    I agree Apple should tighten this up but I don't see how it's a big security issue since you can't get usable info from an unknown iPhone.

    EDIT: Missed the part about the call log and it's potential was not covered. However you can use the names in the call log to ask for the Contact info. This is definitely a security issue that needs to be addressed.
     
  11. X-X thread starter macrumors 6502

    Joined:
    Aug 22, 2014
    #11
    Yes and via "Other..." button you get full access to all contacts as well.

    http://www.youtube.com/watch?v=aGTrCH2s5RU


    So again...on a locked iPhone everyone can post to Facebook, call people, Skype people, get access to all messages, contacts, complete call history and more.

    At this point, why even lock the phone?

    This should not be the default behavior.
     
  12. aggiesrwe03 macrumors regular

    Joined:
    Jan 25, 2009
    Location:
    TEXAS
    #12
    Sigh... To all you "disable Siri" people you're missing the damn point!! The fact that I have to enter a password or my fingerprint to delete an email from the lock screen, but a two year old with happy fingers can text my boss that he needs to potty is plain and simple carelessness in UI design!!! And "disable Siri on the lock screen" pretty much negates the existence of Siri!!!
     
  13. robkat macrumors member

    robkat

    Joined:
    Dec 22, 2008
    Location:
    Scotland
    #13
    I have tried every combination possible on iPad Air, with iOS 8, but cannot access anything without entering a passcode.
     
  14. Baytriple macrumors 6502

    Joined:
    Apr 3, 2012
    #14
    Thanks for the post. I have now disabled my siri from lock screen. Far too much info was in my notes section to be shared.
     
  15. Julien macrumors G4

    Julien

    Joined:
    Jun 30, 2007
    Location:
    Atlanta
    #15
    Siri is enabled by default and I want the convince. Have you disabled it? If not I can likely get your address.

    Just push the Home button and say "show my phone call log" and you will get a list of phone call and names. Just scroll through the list and look for a pattern (most called by name). Then one that has the most will likely be the significant other of the iPhone owner. Now hit the Home button and say "Contact info for Jane Doe" and you have the iPhone owner's address.

    Just do it and see how easy it is. Pick up any iPhone and...

    1) Say "show my phone call log"
    2) Pick most often call and say "Contact info for Jane Doe"

    There is NO way you should be able to get a log of all phone calls made by the iPhone just by asking from the lock screen.

    ----------

    The iPad doesn't have phone call log info.
     
  16. crispyking macrumors newbie

    Joined:
    Oct 27, 2011
    #16
    It's been a while since I've set an iOS device up as new.
    Is it the default to have a passcode?
    If not, then your whole device is insecure as default, not just SIRI.
     
  17. Nozuka macrumors 68000

    Joined:
    Jul 3, 2012
    #17
    i agree with the OP, there should be more options to define what siri can and can not do.
     
  18. bransoj macrumors 6502a

    Joined:
    Jul 31, 2013
    #18
    With regard to a passcode you get prompted when setting up as new or most will have seen it during the iOS8 upgrade. It asks you to set a passcode during the process and the option to ignore it is a lot smaller and even if you choose it you are asked if you are sure so it really does try to make you set one.
     
  19. Julien macrumors G4

    Julien

    Joined:
    Jun 30, 2007
    Location:
    Atlanta
    #19
    This thread is about fully locked (passcode enabled) iPhones. You shouldn't be able to get a full call history with complete names, address, email and phone numbers from a locked iPhone.

    Using my method you will likely get the home contact info for the iPhone owner.
     
  20. crispyking macrumors newbie

    Joined:
    Oct 27, 2011
    #20
    No, this thread is about accessing all that data on a locked iPhone through Siri.
    When it was pointed out that Siri on the lockscreen can be turned off, the point became that it was enabled by default.
    Siri should be able to access that data, even from the lockscreen. But that should be an opt-in situation.

    I was asking if passcode was enabled by default. If it wasn't then the whole phone would be insecure as default. And that the issue with Siri wouldn't really apply as it could be changed when setting up the passcode.

    As the passcode is enabled by default, then the original point still stands. Siri can access private data from the lock screen.
     
  21. alanplum macrumors member

    alanplum

    Joined:
    Jul 20, 2012
    Location:
    Bristol, UK
    #21
    I think you'll find Touch ID is "unlocking" the phone allowing Siri full access.

    Try holding the button down on a finger not registered for Touch ID and see if it lets you do these things.
     
  22. X-X thread starter macrumors 6502

    Joined:
    Aug 22, 2014
    #22
  23. simon5s macrumors newbie

    Joined:
    Sep 17, 2014
    #23
    This. When TouchID was introduced I thought IOS7 allowed you to configure the lock screen to only allow access to Siri with a recognised fingerprint. I'm wondering now if this was ever the case, or whether this feature has been removed in IOS8 (which would not make sense).
     
  24. StuartL macrumors member

    Joined:
    May 22, 2010
    Location:
    UK
    #24
    I just tried this on my iPhone 5.

    Asked siri to show my phone call log and siri replied with "you need to unlock your iPhone first"
     
  25. X-X thread starter macrumors 6502

    Joined:
    Aug 22, 2014
    #25
    No it does not. "Show me recent calls" gives you a call log without any authentication.
     

Share This Page