February 13, 2012

iPhone 4S Siri security breach

While I was playing with my new iPhone 4S I tried to bypass Apple's built-in security. The following lines was sent to apples security email:
General
While I was working with Siri on my iPhone 4S, I found a security breach that can compromise the privacy of users if their iPhone has been stolen\taken by unauthorized person.

Requirements
iPhone 4S with passcode lock enabled.
Siri is enabled.
Siri is allowed even of the lock-screen is locked (default setting).

Issue
If Siri is enabled in the lock screen settings, an unauthorized user can perform multiple actions without unlocking the iPhone:
1. Send email\SMS to someone within the contacts.
2. Disclose contacts by asking "find people named [any_strange_name]".

Risk description
An unauthorized user can use the iPhone to steal the contact list by using multi-verbs while asking to find people. In addition, the unauthorized user can produce spoofing attack by sending rogue emails to people in the contact list.

Recommendation
It is well known that any user can set a full restriction for Siri or disable it from appearing in the lock screen, however the usability is important for iPhone users. Therefore I recommend to add a menu that can set specific restrictions for email\SMS sendings and looking for people.

See the response below:
Thank you for contacting the Apple Product Security team. We take every report of a potential security issue very seriously. This message is being sent to you by a security analyst who has reviewed your note.
After examining your report we do not see any actual security implications. Users can disable Siri access at the lock screen.
We are tracking your report as an enhancement request. If you have any questions or concerns please feel free to let us know.

In conclusion, Apple's security team recommend us to disable Siri at the lock screen if we want to be protected. From my personal perspective, I think that no one would disable Siri from the lock screen since that's the all point of Siri.
Think about it...

1 comment: