Siri IS a security risk in an Enterprise environment

[stemcdon]

I have posted this on other forums - but get a barrage of -
"But you can turn it off responses"

Hoping the average IQ here is a little higher and can understand the issue

When we activate an iphone on our network, we have the option of enforcing a passcode, so if the phone is lost or left lying around our company information is secure. We also have the option of "Greying Out" the option for the end user to turn off the passcode (They can change it though).

However thanks to siri, this can now be bypassed by anyone who takes possession of the phone, they can in fact call anyone, text anyone or email anyone - this includes people in the contacts / exchange global address book.

Worst case scenario a thief would have access to email / text anyone from customers to the CEO of the organisation and it would appear to have come from the owner of the phone.

There is the option in the settings to disable siri at the lock screen, however as an enterprise we are not able to leave that option available to the end user as it compromises our security policies. What we really need is to be able to disable and "Grey Out" that option - just like we can do with the the passcode setting.

I spent some time this morning discussing it with Apple and eventually spoke to one of their senior advisers in the US "Nathan Rozmus" - he advises

"The feature to disable siri at the lock screen from the exchange interface is not currently available."

When I pointed out that that meant the iphone4s was unsuitable for a corporate environment, he repeated the statement, and advised that I could submit it as a feature request.

Needless to say the iphone4s will continue to be banned on our network, but I think the general population should be informed that there is a risk to corporations.

 

[appleguy123]

"There is the option in the settings to disable siri at the lock screen, however as an enterprise we are not able to leave that option available to the end user as it compromises our security policies."

Why?

 

[Demosthenes X]

"There is the option in the settings to disable siri at the lock screen, however as an enterprise we are not able to leave that option available to the end user as it compromises our security policies."

Why?

Presumably because end users cannot be trusted to actually stick to the security policy and disable it. Which is not an unfair point, imo.

The OP has a point in that this could make the 4S unsuitable for corporate environments. That said, I'm sure a fix will be along shortly from Apple (although honestly I've no idea how their enterprise side functions).

 

[stemcdon]

"There is the option in the settings to disable siri at the lock screen, however as an enterprise we are not able to leave that option available to the end user as it compromises our security policies."

Why?

No company can leave security in the hands of an end user.
Thats why eveyone has their own username and password and why secuirty policies are ENFORCED rather than just trusting people to do the right thing.

Ironically Apple understand this - which is why Enterprises are given the ability to enforce a passcode and remove the ability for an end user to disble the option

 

[Sendaii]

When a phone is reported lost, doesn't the IT department just wipe the phone remotely? This should take care of any worry...

Also, with Siri, you would need to know the names of contacts on the phone, in order to place a call, write an email or text. You would only be able to "maybe" read unread text messages, I haven't tested that out from the lock screen yet.

It seems like a problem, but not a huge problem that is preventing a lot of coporate companies to not upgrade to iPhone 4S.

Though, I could be completely wrong and not understand the original post

 

[C DM]

Being able to do voice dialing and the like from the lock screen has been available on iPhones even before Siri and iPhone 4. Sure, Siri provides much more information in some sense, but if that's a security risk, then even the regular Voice Control that's there on iPhone 4, 3GS, 3G, etc. would most likely be as well. How were/are those phones being treated?

 

[stemcdon]

When a phone is reported lost, doesn't the IT department just wipe the phone remotely? This should take care of any worry...

Also, with Siri, you would need to know the names of contacts on the phone, in order to place a call, write an email or text. You would only be able to "maybe" read unread text messages, I haven't tested that out from the lock screen yet.

It seems like a problem, but not a huge problem that is preventing a lot of coporate companies to not upgrade to iPhone 4S.

Though, I could be completely wrong and not understand the original post

We would indeed wipe remotley - once it was reported to us.....

It extracts the contacts from the global address list - it you knew the name of the company the phone bleonged to then you have direct access to the CEO. Also Saying email "John" helpfully lists all the available "johns" for you to select.

As an aside though - you could email the ceo and tell him what you think of him - then claim you were in the bathroom and someone must have sirihacked your phone lol (Thats a joke - but the HR issues alone are a nightmare

 

[PNutts]

FYI: Coming in here with all caps and an angry face makes me think this is already an argument.

Personally I wouldn't classify it as a security risk but each company has their own policies so it may or may not be depending on where you work. Like you, we also set a number of ActiveSync policies and users must sign an agreement before they can synchronize corporate e-mail. The agreement specifies they must notify us immediately if a mobile device is lost or stolen and then we'll perform a remote wipe. I recommend that they use a third party product like Moxier that allows us to wipe only the corporate data and leave their personal data (and phone) intact. As I typed that I realized that Moxier has it's own passcode separate from the iDevice (which may or may not have one as AS policies are applied to Moxier instead of the iDevice). I assume Siri can open apps and enter passcodes for them, but the bad guy would have to already know the passcode on Moxier to get to the corporate data. It's nice to know that there is at least one workaround to the issue/question.

If I remember I'll mention this topic to my CISO/CIO and see what he thinks.

 

[stemcdon]

Being able to do voice dialing and the like from the lock screen has been available on iPhones even before Siri and iPhone 4. Sure, Siri provides much more information in some sense, but if that's a security risk, then even the regular Voice Control that's there on iPhone 4, 3GS, 3G, etc. would most likely be as well. How were/are those phones being treated?

The 4s will be the first phone we allow (Assuming the fix happens)

AFAIK pre siri you could only call people - which isnt so bad as at least you would have to interact with the person you called and sound like the phone owner

----------

If I remember I'll mention this topic to my CISO/CIO and see what he thinks.

Thats just the effect I'm after, once people have good intel on the risks they can make the correct decision for THEIR enviroment.

The quicker this risk becomes public knowledge, then the quicker Apple will address it.

BTW - I do think SIRI is an amazing piece of engineering

 

[PNutts]

BTW - I do think SIRI is an amazing piece of engineering

I know. I found the other forum you mentioned.

 

[stemcdon]

I know. I found the other forum you mentioned.

ROFL - then I'm sure you can understand some of my frustrations

 

[Peace]

What does your company do about all the other smartphones with voice recognition software built in ?

 

[M87]

Why don't you have your über important company contact Apple about your concerns rather than complaining about it on a rumor forum?

 

[Kadman]

Why don't you have your über important company contact Apple about your concerns rather than complaining about it on a rumor forum?

He has a valid point. No need to get all snippy about it. I'm in an IT leadership role and this sort of thing comes up regularly. In fact, many companies get audited on their security policy and auditors are much more savvy these days, asking about mobile device policies, encryption, remote wipe capabilities, etc.

Apple is still behind the curve in this area. I have no doubt they'll tighten things up later, if called out. Point is, it's not secure by design as it's not the market they cater to (at least not yet).

 

[stemcdon]

Why don't you have your über important company contact Apple about your concerns rather than complaining about it on a rumor forum?

As I said in my post

"I spent some time this morning discussing it with Apple and eventually spoke to one of their senior advisers in the US "Nathan Rozmus"

 

[Kadman]

As I said in my post

"I spent some time this morning discussing it with Apple and eventually spoke to one of their senior advisers in the US "Nathan Rozmus"

See, you assume he read your post. You lost him at about the 3rd line of logic, so he simply hit "Reply" and went the flippant response route. That should teach you a lesson! How dare you use reason and technical detail in your post!

 

[stemcdon]

See, you assume he read your post. You lost him at about the 3rd line of logic, so he simply hit "Reply" and went the flippant response route. That should teach you a lesson! How dare you use reason and technical detail in your post!

lol - it's like having a converstaion with my ex wife

 

[akj27]

Am I doing something wrong here or does Siri not work for me at the lock screen? I don't recall ever changing any settings that have to do with Siri.

 

[deanfx4u]

I can't believe that iPhone configuration utility doesn't allow Siri to be greyed out. Albeit I do not have a 4s to test it on.

 

[stemcdon]

I can't believe that iPhone configuration utility doesn't allow Siri to be greyed out. Albeit I do not have a 4s to test it on.

Yes - I was a bit taken aback.

I expected it to be one of those conversations where they tell you to download an update to the console.

 

[Hammie]

I haven't kept up with them, but have the SMS denial of service and lock screen hacks been fixed?

 

[PNutts]

I haven't kept up with them, but have the SMS denial of service and lock screen hacks been fixed?

Wrong thread.

Apple is still behind the curve in this area. I have no doubt they'll tighten things up later, if called out. Point is, it's not secure by design as it's not the market they cater to (at least not yet).

I disagree. It had Enterprise features earlier than most of the current phones since Windows Mobile (excluding Blackberry). Encryption at rest, ActiveSync license, generous ActiveSync policy support, configuration utility, strong passwords, local certs, local and remote wipe, etc.

Our most important requirements (and all deal breakers) are encryption, password management, and remote wipe, Windows Phone 7 is a consumer device with no encryption. IIRC with one exception Android handsets are just now supporting encryption natively (third party apps like Touchdown and Moxier) filled the gap for Android. AS support has been hit and miss for the various flavors. We allow removable storage but it is another level to manage encryption and is intrusive to the users.

But to each their own. It's all a matter of corporate policy which device fits best.

 

[ohio.emt]

Couldn't you set up the parental controls and turn Siri off that way.

 

[stemcdon]

Couldn't you set up the parental controls and turn Siri off that way.

good suggestion, but from what I see (I may be wrong only just had a quick look) the parental controls use the same pin code as to unlock the phone.

Obviousley the end user needs to have the passcode to be able to use the phone.

 

[aceventura01]

Password lock Siri

To prohibit users from having access to Siri even from the lock screen is to enable the passcode and then turn off the Siri option. This can be found under settings --> general --> password lock --> Siri --> off. This changes the setting to "do not allow access to Siri when locked with a passcode". Unless I'm not understanding what you are trying to do and indicate is at risk. Maybe this feature is not available for enterprise permission yet. Otherwise maybe this is the setting you need.