Siri IS a security risk in an Enterprise environment

Discussion in 'iOS 5 and earlier' started by stemcdon, Oct 17, 2011.

  1. stemcdon macrumors newbie

    Joined:
    Oct 17, 2011
    #1
    I have posted this on other forums - but get a barrage of -
    "But you can turn it off responses"

    Hoping the average IQ here is a little higher and can understand the issue

    When we activate an iphone on our network, we have the option of enforcing a passcode, so if the phone is lost or left lying around our company information is secure. We also have the option of "Greying Out" the option for the end user to turn off the passcode (They can change it though).

    However thanks to siri, this can now be bypassed by anyone who takes possession of the phone, they can in fact call anyone, text anyone or email anyone - this includes people in the contacts / exchange global address book.

    Worst case scenario a thief would have access to email / text anyone from customers to the CEO of the organisation and it would appear to have come from the owner of the phone.

    There is the option in the settings to disable siri at the lock screen, however as an enterprise we are not able to leave that option available to the end user as it compromises our security policies. What we really need is to be able to disable and "Grey Out" that option - just like we can do with the the passcode setting.

    I spent some time this morning discussing it with Apple and eventually spoke to one of their senior advisers in the US "Nathan Rozmus" - he advises

    "The feature to disable siri at the lock screen from the exchange interface is not currently available."

    When I pointed out that that meant the iphone4s was unsuitable for a corporate environment, he repeated the statement, and advised that I could submit it as a feature request.

    Needless to say the iphone4s will continue to be banned on our network, but I think the general population should be informed that there is a risk to corporations.
     
  2. appleguy123 macrumors 603

    appleguy123

    Joined:
    Apr 1, 2009
    Location:
    15 minutes in the future
    #2
    "There is the option in the settings to disable siri at the lock screen, however as an enterprise we are not able to leave that option available to the end user as it compromises our security policies."

    Why?
     
  3. Demosthenes X macrumors 68000

    Demosthenes X

    Joined:
    Oct 21, 2008
    #3
    Presumably because end users cannot be trusted to actually stick to the security policy and disable it. Which is not an unfair point, imo.

    The OP has a point in that this could make the 4S unsuitable for corporate environments. That said, I'm sure a fix will be along shortly from Apple (although honestly I've no idea how their enterprise side functions).
     
  4. stemcdon thread starter macrumors newbie

    Joined:
    Oct 17, 2011
    #4
    No company can leave security in the hands of an end user.
    Thats why eveyone has their own username and password and why secuirty policies are ENFORCED rather than just trusting people to do the right thing.

    Ironically Apple understand this - which is why Enterprises are given the ability to enforce a passcode and remove the ability for an end user to disble the option
     
  5. Sendaii macrumors member

    Joined:
    Jun 10, 2011
    #5
    When a phone is reported lost, doesn't the IT department just wipe the phone remotely? This should take care of any worry...

    Also, with Siri, you would need to know the names of contacts on the phone, in order to place a call, write an email or text. You would only be able to "maybe" read unread text messages, I haven't tested that out from the lock screen yet.

    It seems like a problem, but not a huge problem that is preventing a lot of coporate companies to not upgrade to iPhone 4S.

    Though, I could be completely wrong and not understand the original post :confused:
     
  6. C DM macrumors Westmere

    Joined:
    Oct 17, 2011
    #6
    Being able to do voice dialing and the like from the lock screen has been available on iPhones even before Siri and iPhone 4. Sure, Siri provides much more information in some sense, but if that's a security risk, then even the regular Voice Control that's there on iPhone 4, 3GS, 3G, etc. would most likely be as well. How were/are those phones being treated?
     
  7. stemcdon thread starter macrumors newbie

    Joined:
    Oct 17, 2011
    #7
    We would indeed wipe remotley - once it was reported to us.....

    It extracts the contacts from the global address list - it you knew the name of the company the phone bleonged to then you have direct access to the CEO. Also Saying email "John" helpfully lists all the available "johns" for you to select.

    As an aside though - you could email the ceo and tell him what you think of him - then claim you were in the bathroom and someone must have sirihacked your phone lol (Thats a joke - but the HR issues alone are a nightmare
     
  8. PNutts macrumors 601

    PNutts

    Joined:
    Jul 24, 2008
    Location:
    Pacific Northwest, US
    #8
    FYI: Coming in here with all caps and an angry face makes me think this is already an argument.

    Personally I wouldn't classify it as a security risk but each company has their own policies so it may or may not be depending on where you work. Like you, we also set a number of ActiveSync policies and users must sign an agreement before they can synchronize corporate e-mail. The agreement specifies they must notify us immediately if a mobile device is lost or stolen and then we'll perform a remote wipe. I recommend that they use a third party product like Moxier that allows us to wipe only the corporate data and leave their personal data (and phone) intact. As I typed that I realized that Moxier has it's own passcode separate from the iDevice (which may or may not have one as AS policies are applied to Moxier instead of the iDevice). I assume Siri can open apps and enter passcodes for them, but the bad guy would have to already know the passcode on Moxier to get to the corporate data. It's nice to know that there is at least one workaround to the issue/question.

    If I remember I'll mention this topic to my CISO/CIO and see what he thinks.
     
  9. stemcdon thread starter macrumors newbie

    Joined:
    Oct 17, 2011
    #9
    The 4s will be the first phone we allow (Assuming the fix happens)

    AFAIK pre siri you could only call people - which isnt so bad as at least you would have to interact with the person you called and sound like the phone owner

    ----------

    Thats just the effect I'm after, once people have good intel on the risks they can make the correct decision for THEIR enviroment.

    The quicker this risk becomes public knowledge, then the quicker Apple will address it.

    BTW - I do think SIRI is an amazing piece of engineering
     
  10. PNutts macrumors 601

    PNutts

    Joined:
    Jul 24, 2008
    Location:
    Pacific Northwest, US
    #10
    I know. I found the other forum you mentioned. :p
     
  11. stemcdon thread starter macrumors newbie

    Joined:
    Oct 17, 2011
    #11
    ROFL - then I'm sure you can understand some of my frustrations :D
     
  12. Peace macrumors Core

    Peace

    Joined:
    Apr 1, 2005
    Location:
    Space--The ONLY Frontier
    #12
    What does your company do about all the other smartphones with voice recognition software built in ?
     
  13. M87 macrumors 65816

    Joined:
    Jul 18, 2009
    #13
    Why don't you have your über important company contact Apple about your concerns rather than complaining about it on a rumor forum?
     
  14. Kadman macrumors 65816

    Kadman

    Joined:
    Sep 22, 2007
    #14
    He has a valid point. No need to get all snippy about it. I'm in an IT leadership role and this sort of thing comes up regularly. In fact, many companies get audited on their security policy and auditors are much more savvy these days, asking about mobile device policies, encryption, remote wipe capabilities, etc.

    Apple is still behind the curve in this area. I have no doubt they'll tighten things up later, if called out. Point is, it's not secure by design as it's not the market they cater to (at least not yet).
     
  15. stemcdon thread starter macrumors newbie

    Joined:
    Oct 17, 2011
    #15
    As I said in my post

    "I spent some time this morning discussing it with Apple and eventually spoke to one of their senior advisers in the US "Nathan Rozmus"
     
  16. Kadman macrumors 65816

    Kadman

    Joined:
    Sep 22, 2007
    #16
    See, you assume he read your post. You lost him at about the 3rd line of logic, so he simply hit "Reply" and went the flippant response route. That should teach you a lesson! How dare you use reason and technical detail in your post!

    :D
     
  17. stemcdon thread starter macrumors newbie

    Joined:
    Oct 17, 2011
    #17
    lol - it's like having a converstaion with my ex wife
     
  18. akj27, Oct 17, 2011
    Last edited: Oct 17, 2011

    akj27 macrumors member

    Joined:
    Oct 2, 2010
    #18
    Am I doing something wrong here or does Siri not work for me at the lock screen? I don't recall ever changing any settings that have to do with Siri.
     
  19. deanfx4u macrumors regular

    Joined:
    Aug 3, 2010
    #19
    I can't believe that iPhone configuration utility doesn't allow Siri to be greyed out. Albeit I do not have a 4s to test it on.
     
  20. stemcdon thread starter macrumors newbie

    Joined:
    Oct 17, 2011
    #20
    Yes - I was a bit taken aback.

    I expected it to be one of those conversations where they tell you to download an update to the console.
     
  21. Hammie macrumors 65816

    Hammie

    Joined:
    Mar 17, 2009
    Location:
    Wash, DC Metro
    #21
    I haven't kept up with them, but have the SMS denial of service and lock screen hacks been fixed?
     
  22. PNutts macrumors 601

    PNutts

    Joined:
    Jul 24, 2008
    Location:
    Pacific Northwest, US
    #22
    Wrong thread.

    I disagree. It had Enterprise features earlier than most of the current phones since Windows Mobile (excluding Blackberry). Encryption at rest, ActiveSync license, generous ActiveSync policy support, configuration utility, strong passwords, local certs, local and remote wipe, etc.

    Our most important requirements (and all deal breakers) are encryption, password management, and remote wipe, Windows Phone 7 is a consumer device with no encryption. IIRC with one exception Android handsets are just now supporting encryption natively (third party apps like Touchdown and Moxier) filled the gap for Android. AS support has been hit and miss for the various flavors. We allow removable storage but it is another level to manage encryption and is intrusive to the users.

    But to each their own. :) It's all a matter of corporate policy which device fits best.
     
  23. ohio.emt macrumors 6502a

    Joined:
    Jul 18, 2008
    Location:
    Ohio
    #23
    Couldn't you set up the parental controls and turn Siri off that way.
     
  24. stemcdon thread starter macrumors newbie

    Joined:
    Oct 17, 2011
    #24
    good suggestion, but from what I see (I may be wrong only just had a quick look) the parental controls use the same pin code as to unlock the phone.

    Obviousley the end user needs to have the passcode to be able to use the phone.
     
  25. aceventura01 macrumors newbie

    Joined:
    Mar 23, 2011
    #25
    Password lock Siri

    To prohibit users from having access to Siri even from the lock screen is to enable the passcode and then turn off the Siri option. This can be found under settings --> general --> password lock --> Siri --> off. This changes the setting to "do not allow access to Siri when locked with a passcode". Unless I'm not understanding what you are trying to do and indicate is at risk. Maybe this feature is not available for enterprise permission yet. Otherwise maybe this is the setting you need. :confused:
     

Share This Page