Major iOS security flaw.

[CylonGlitch]

I just found this out completely by accident. I am posting it here before going to post it to Apple.

Like most, I keep my phone locked at all times. But today I was trying different things with Siri. I found that even with the phone locked you can ask questions like, "What is my name?" "What is my address? "What is my phone number?" And Siri will tell you all the information. When I asked for my address I got my home address, work address and my rental addresses.

I could not launch apps but I can get all the personal information about me. I would guess I could get a lot more information by asking the right questions.

 

[Intell]

This isn't a security flaw, it's done by design. You can stop it by disabling Siri on the lockscreen.

 

[CylonGlitch]

This isn't a security flaw, it's done by design. You can stop it by disabling Siri on the lockscreen.

Than the security flaw is leaving it on by default. I just started playing with Siri so I know I never turned anything on.

Could you let me know where it is in the settings? I can't find out how to turn it off.

 

[dukebound85]

that has been like that even with the 3gs and the voice control days

 

[CylonGlitch]

that has been like that even with the 3gs and the voice control days

Bad, bad, bad design. If I lose my phone, or worse have it stolen, I don't want them to know my addresses, especially home.

 

[Gutwrench]

There are bugs and there is user error. There is a concept known as user responsibility.

 

[cyks]

And, if they had it turned off at lock screen by default, they'd have countless people complaining that it doesn't work when the phone is off.

Considering it doesn't come with a passcode already set and that one has to go into settings to activate one, it's not so far a stretch to think they would have to disable other things for security as well.

Not to mention- it's an odd complaint since the setting to change it is in the 'Passcode Lock' settings... the same place you go to add/ change a passcode.


Besides, security is just a myth anyway. If anyone wanted to know your (or anyone's) address, it's not difficult.

 

[C DM]

This likely (security) flaw actually seems worse: https://forums.macrumors.com/threads/1526598/ (https://forums.macrumors.com/posts/16764050/ specifically).

 

[aristobrat]

Than the security flaw is leaving it on by default. I just started playing with Siri so I know I never turned anything on.

Could you let me know where it is in the settings? I can't find out how to turn it off.

AFAIK, it shows you the setting when you enable a passcode on your phone.

Settings > General > Passcode Lock > Allow Access With Locked: > Siri > Off

 

[Bawstun]

There are bugs and there is user error. There is a concept known as user responsibility.

This isn't the correct approach to this problem at all, IMO. When you have 18 zillion iOS devices in the wild, common sense/supreme smarts is NOT going to be common denominator. There's just too many people using Apple products, it's silly to expect all users to know of this option and to know how to disable it to protect themselves.

It should be off by default, and a warning should be prompted if you enable Siri in lock mode.

 

[cyks]

This isn't the correct approach to this problem at all, IMO. When you have 18 zillion iOS devices in the wild, common sense/supreme smarts is NOT going to be common denominator. There's just too many people using Apple products, it's silly to expect all users to know of this option and to know how to disable it to protect themselves.

It should be off by default, and a warning should be prompted if you enable Siri in lock mode.

Except, as has been mentioned a few times already in this thread, it is on the same screen listed under the setting for activating a passcode.

If you don't add a passcode, then there is no reason for Siri to not work when the phone is locked - as the theif (or whoever) would simply swipe to unlock and either ask Siri there or simply go through the Contacts if they cared so much.

If you DO add a passcode, it's on top under 'Allow Access When Locked.'

 

[thejadedmonkey]

There are bugs and there is user error. There is a concept known as user responsibility.

And this is a company that built a firewall into their OS and set it "on" by default, before any other OS even had a firewall.

 

[soucy]

This is definitely not a security flaw. If you enable a pass code you see the options right away. If you a user chooses to enable options without having a look at all available settings that come with pass code lock it is the users own fault and not a security flaw.

 

[bp1000]

Why do you need to be reminded of your own home address or phone number

If you are that paranoid set your home address to your nearest local police station

And if you use Siri to navigate home in your car just navigate to your town / city. I'm sure you remember the way home?

 

[Zcott]

Very helpful feature if you lose your phone.

 

[SAD*FACED*CLOWN]

Bad, bad, bad design. If I lose my phone, or worse have it stolen, I don't want them to know my addresses, especially home.

what if someone finds your "LOCKED" iPhone and wants to return it to you?...that information could be helpful...and yes I know it could also be used with bad intentions

 

[gglittle]

ICE, in case of emergency

what if someone finds your "LOCKED" iPhone and wants to return it to you?...that information could be helpful...and yes I know it could also be used with bad intentions

Or you've slipped on the ice, busted your kahooziz, and are totally incapacitated. I also use an ICE app that provides a lock screen that provides access to emergency information.

 

[C DM]

This likely (security) flaw actually seems worse: https://forums.macrumors.com/threads/1526598/ (https://forums.macrumors.com/posts/16764050/ specifically).

Looks like that actual flaw if finally getting some more attention: https://www.macrumors.com/2013/02/1...g-passcode-lock-to-access-phone-and-contacts/

 

[moonman239]

Idea: voice recognition. If my phone's locked and Siri doesn't recognize the voice of the person who's talking to her, she'll give the thief a convincing response while alerting you to the fact that the phone has been stolen. She'll also send you the voice clip she took and the phone's current location and heading so you can figure out where the thief is.

 

[cyks]

Idea: voice recognition. If my phone's locked and Siri doesn't recognize the voice of the person who's talking to her, she'll give the thief a convincing response while alerting you to the fact that the phone has been stolen. She'll also send you the voice clip she took and the phone's current location and heading so you can figure out where the thief is.

No point. Rather than go through all of that trouble, simply disable Siri from the lock screen if that concerned about it.

The big reason being is that thieves don't care about using Siri to find anything out. What, they *might* find out where you live? Big deal. They still have no clue if you live alone, have guard dogs, an alligator filled moat and an alarm... nor do they care. If they stole your phone, they'll simply pull the SIM (if it has one), turn it off, and restore as new. They know that time spent fiddling with Siri is time you could be using FindMyPhone to pinpoint them.

Personally, I'd rather strangers could use Siri in case I ever dropped or lost my phone somewhere, I'd like to think that *maybe* they would want to return it to me.


Much easier than going through voice recognition and not being able to use it anytime I had a cold or was out jogging and out of breath.


I'd rather Apple devised a way to make it so, if locked, it can't be powered down (only restarted if needed).

 

[moonman239]

No point. Rather than go through all of that trouble, simply disable Siri from the lock screen if that concerned about it.

The big reason being is that thieves don't care about using Siri to find anything out. What, they *might* find out where you live? Big deal. They still have no clue if you live alone, have guard dogs, an alligator filled moat and an alarm... nor do they care. If they stole your phone, they'll simply pull the SIM (if it has one), turn it off, and restore as new. They know that time spent fiddling with Siri is time you could be using FindMyPhone to pinpoint them.

Personally, I'd rather strangers could use Siri in case I ever dropped or lost my phone somewhere, I'd like to think that *maybe* they would want to return it to me.


Much easier than going through voice recognition and not being able to use it anytime I had a cold or was out jogging and out of breath.


I'd rather Apple devised a way to make it so, if locked, it can't be powered down (only restarted if needed).

OK, revision: Same idea as above, except that Siri WILL respond to queries such as "How may I contact the owner of this device." Then Siri will know whoever picked up your phone is probably a Good Samaritan and respond with a designated phone number.

On that last point you made, I agree with you. In fact, I have a better idea: make the device ignore any restore requests from iTunes unless the computer gives the device a special code that identifies the computer either as a computer that belongs to the owner of the iDevice or as a Genius's work computer.

Furthermore, have all Geniuses ask iDevice owners who come into their store to present photo identification, a proof of purchase, and an authorization document if the person bringing it in is doing so on the owner's behalf. If you don't identify yourself as the owner, your name and a current picture of you will be stored in a database for Apple to release to police upon their request.

EDIT: Just thought I'd add that it's probably easier to prevent people from taking a laptop or desktop. Or at least catch the thief. This is assuming the thief takes the laptop out of your bag. Some thieves may just take the whole bag.

 

[taedouni]

So you don't want someone who finds your phone to be able to contact you and return your phone ?