Major iOS security flaw.

Discussion in 'iOS 6' started by CylonGlitch, Feb 11, 2013.

  1. CylonGlitch macrumors 68030

    CylonGlitch

    Joined:
    Jul 7, 2009
    Location:
    SoCal
    #1
    I just found this out completely by accident. I am posting it here before going to post it to Apple.

    Like most, I keep my phone locked at all times. But today I was trying different things with Siri. I found that even with the phone locked you can ask questions like, "What is my name?" "What is my address? "What is my phone number?" And Siri will tell you all the information. When I asked for my address I got my home address, work address and my rental addresses.

    I could not launch apps but I can get all the personal information about me. I would guess I could get a lot more information by asking the right questions.
     
  2. Intell macrumors P6

    Intell

    Joined:
    Jan 24, 2010
    Location:
    Inside
    #2
    This isn't a security flaw, it's done by design. You can stop it by disabling Siri on the lockscreen.
     
  3. CylonGlitch, Feb 11, 2013
    Last edited: Feb 11, 2013

    CylonGlitch thread starter macrumors 68030

    CylonGlitch

    Joined:
    Jul 7, 2009
    Location:
    SoCal
    #3
    Than the security flaw is leaving it on by default. I just started playing with Siri so I know I never turned anything on.

    Could you let me know where it is in the settings? I can't find out how to turn it off.
     
  4. dukebound85 macrumors P6

    dukebound85

    Joined:
    Jul 17, 2005
    Location:
    5045 feet above sea level
    #4
    that has been like that even with the 3gs and the voice control days
     
  5. CylonGlitch thread starter macrumors 68030

    CylonGlitch

    Joined:
    Jul 7, 2009
    Location:
    SoCal
    #5
    Bad, bad, bad design. If I lose my phone, or worse have it stolen, I don't want them to know my addresses, especially home.
     
  6. Gutwrench macrumors 68000

    Gutwrench

    Joined:
    Jan 2, 2011
    #6
    There are bugs and there is user error. There is a concept known as user responsibility.
     
  7. cyks, Feb 11, 2013
    Last edited: Feb 11, 2013

    cyks macrumors 68020

    cyks

    Joined:
    Jul 24, 2002
    Location:
    Westchester County, NY
    #7
    And, if they had it turned off at lock screen by default, they'd have countless people complaining that it doesn't work when the phone is off.

    Considering it doesn't come with a passcode already set and that one has to go into settings to activate one, it's not so far a stretch to think they would have to disable other things for security as well.

    Not to mention- it's an odd complaint since the setting to change it is in the 'Passcode Lock' settings... the same place you go to add/ change a passcode.


    Besides, security is just a myth anyway. If anyone wanted to know your (or anyone's) address, it's not difficult.
     
  8. C DM, Feb 11, 2013
    Last edited: Feb 11, 2013
  9. aristobrat macrumors G5

    Joined:
    Oct 14, 2005
    #9
    AFAIK, it shows you the setting when you enable a passcode on your phone.

    Settings > General > Passcode Lock > Allow Access With Locked: > Siri > Off
     
  10. Bawstun macrumors 65816

    Bawstun

    Joined:
    Jun 25, 2009
    #10
    This isn't the correct approach to this problem at all, IMO. When you have 18 zillion iOS devices in the wild, common sense/supreme smarts is NOT going to be common denominator. There's just too many people using Apple products, it's silly to expect all users to know of this option and to know how to disable it to protect themselves.

    It should be off by default, and a warning should be prompted if you enable Siri in lock mode.
     
  11. cyks macrumors 68020

    cyks

    Joined:
    Jul 24, 2002
    Location:
    Westchester County, NY
    #11
    Except, as has been mentioned a few times already in this thread, it is on the same screen listed under the setting for activating a passcode.

    If you don't add a passcode, then there is no reason for Siri to not work when the phone is locked - as the theif (or whoever) would simply swipe to unlock and either ask Siri there or simply go through the Contacts if they cared so much.

    If you DO add a passcode, it's on top under 'Allow Access When Locked.'
     
  12. thejadedmonkey macrumors 604

    thejadedmonkey

    Joined:
    May 28, 2005
    Location:
    Pennsylvania
    #12
    And this is a company that built a firewall into their OS and set it "on" by default, before any other OS even had a firewall.
     
  13. soucy macrumors newbie

    Joined:
    Jun 11, 2012
    #13
    This is definitely not a security flaw. If you enable a pass code you see the options right away. If you a user chooses to enable options without having a look at all available settings that come with pass code lock it is the users own fault and not a security flaw.
     

    Attached Files:

  14. bp1000 macrumors 65816

    Joined:
    Jul 7, 2011
    #14
    Why do you need to be reminded of your own home address or phone number

    If you are that paranoid set your home address to your nearest local police station

    And if you use Siri to navigate home in your car just navigate to your town / city. I'm sure you remember the way home?
     
  15. Zcott macrumors 68020

    Joined:
    Oct 18, 2009
    Location:
    Belfast, Ireland
  16. SAD*FACED*CLOWN macrumors 65816

    SAD*FACED*CLOWN

    Joined:
    Apr 5, 2010
    Location:
    Houston, TX
    #16
    what if someone finds your "LOCKED" iPhone and wants to return it to you?...that information could be helpful...and yes I know it could also be used with bad intentions
     
  17. gglittle macrumors regular

    Joined:
    Oct 26, 2012
    #17
    ICE, in case of emergency

    Or you've slipped on the ice, busted your kahooziz, and are totally incapacitated. I also use an ICE app that provides a lock screen that provides access to emergency information.
     
  18. C DM macrumors Westmere

    Joined:
    Oct 17, 2011
  19. moonman239 macrumors 68000

    Joined:
    Mar 27, 2009
    #19
    Idea: voice recognition. If my phone's locked and Siri doesn't recognize the voice of the person who's talking to her, she'll give the thief a convincing response while alerting you to the fact that the phone has been stolen. She'll also send you the voice clip she took and the phone's current location and heading so you can figure out where the thief is.
     
  20. cyks macrumors 68020

    cyks

    Joined:
    Jul 24, 2002
    Location:
    Westchester County, NY
    #20
    No point. Rather than go through all of that trouble, simply disable Siri from the lock screen if that concerned about it.

    The big reason being is that thieves don't care about using Siri to find anything out. What, they *might* find out where you live? Big deal. They still have no clue if you live alone, have guard dogs, an alligator filled moat and an alarm... nor do they care. If they stole your phone, they'll simply pull the SIM (if it has one), turn it off, and restore as new. They know that time spent fiddling with Siri is time you could be using FindMyPhone to pinpoint them.

    Personally, I'd rather strangers could use Siri in case I ever dropped or lost my phone somewhere, I'd like to think that *maybe* they would want to return it to me.


    Much easier than going through voice recognition and not being able to use it anytime I had a cold or was out jogging and out of breath.


    I'd rather Apple devised a way to make it so, if locked, it can't be powered down (only restarted if needed).
     
  21. moonman239 macrumors 68000

    Joined:
    Mar 27, 2009
    #21
    OK, revision: Same idea as above, except that Siri WILL respond to queries such as "How may I contact the owner of this device." Then Siri will know whoever picked up your phone is probably a Good Samaritan and respond with a designated phone number.

    On that last point you made, I agree with you. In fact, I have a better idea: make the device ignore any restore requests from iTunes unless the computer gives the device a special code that identifies the computer either as a computer that belongs to the owner of the iDevice or as a Genius's work computer.

    Furthermore, have all Geniuses ask iDevice owners who come into their store to present photo identification, a proof of purchase, and an authorization document if the person bringing it in is doing so on the owner's behalf. If you don't identify yourself as the owner, your name and a current picture of you will be stored in a database for Apple to release to police upon their request.

    EDIT: Just thought I'd add that it's probably easier to prevent people from taking a laptop or desktop. Or at least catch the thief. This is assuming the thief takes the laptop out of your bag. Some thieves may just take the whole bag.
     
  22. taedouni macrumors 65816

    Joined:
    Jun 7, 2011
    Location:
    California
    #22
    So you don't want someone who finds your phone to be able to contact you and return your phone ?
     

Share This Page