Maybe the FBI should have just asked Siri.
Over the last two weeks, a Spanish security researcher has demonstrated that users can access personal information off a locked iPhone via Siri, Apple intelligent assistant technology. The security vulnerabilities would allow someone with physical access to another person s iPhone or iPad view the person s contacts, photos, calendar entries and reminders without having to unlock the device.
Apple on Tuesday quietly closed one of the vulnerabilities, which allowed access to a phone s address book and pictures. But the other vulnerability, which allows access to a person s schedule, remained open as of Tuesday afternoon.
Spanish security researcher Jose Rodriguez highlighted the vulnerabilities in two separate videos posted to YouTube. Both vulnerabilities take advantage of a feature in iOS, the operating system underlying the iPhone and iPad, that allows users to access Siri without unlocking their phones. By simply saying, Hey, Siri or by pressing down on a device s home button, users can activate the intelligent assistant.
The first vulnerability, which Rodriguez identified on March 26, allows anyone with access to an iPhone or iPad to access the calendar book or list of reminders stored on it by just asking Siri. Without having to unlock a phone, a user can say, Show me what s on my calendar for today, and Siri will show the day s appointments.
Users can ask for a appointments on a particular day or for a period of time, such as the next week. They can also add or delete calendar entries. And they have similar access to the phone s to-do list — all without having to unlock a phone.
Rodriguez put a spotlight on the other vulnerability in a video posted on Monday. That one took a little more effort, but would allow a user to view an iPhone or iPad s address book and photos without unlocking it.
According to the video, a user could gain access to that data by asking Siri to search on Twitter for a particular person. The user could then tap on the search results and choose an option to save the person s Twitter ID to the phone s address book. From there, the user could see all of the phone s address book entries.
On the save contact page, a user could then tap on the icon to pick a photo to assign to the address book entry. Doing so would allow the user to view all of the photos stored on the device — again, without having to unlock the phone.
Apple closed that particular security hole on Tuesday. iPhone and iPad owners didn t need to update the software on their phones. Instead, because Siri runs on Apple s own servers, the company was able to fix the problem by updating the software on its own computers.
The discovery of the vulnerabilities comes on the heels of the clash between Apple and the FBI over an iPhone used by one of the San Bernardino attackers. Arguing that there was potentially valuable information about the massacre and the attackers on the phone, the FBI filed a court case against Apple, seeking to have it weaken the phone s security to allow the agency to more easily break into it. Apple fought the case, arguing that it felt a duty to protect the security of its devices and of its users data.
Apple drew praise from its customers and the tech community for its stance, and the security of the company s products has generally been given high marks.
But in recent weeks, the company s reputation for offering strong security has taken a bit of a hit. In addition to the vulnerabilities identified by Rodriguez, the FBI found its own way to break into the San Bernardino iPhone. That led to the agency withdrawing its case against Apple, but left the company and its customers to wonder about the nature of the vulnerability the agency found and how to Apple will step up the security of its devices.
Screenshot of Apple s Siri on the iPhone 6s and Apple Watch (Courtesy of Apple).
The post Siri reveals personal data on locked iPhones appeared first on SiliconBeat.
