The default settings for Apple’s new iPhone 4S personal assistant Siri allows anyone to give it commands when it’s password-locked.
“A complete stranger can come up to your smartphone, press the button and give Siri a spoken command,” Sophos security consultant Graham Cluley warned.
“I'm sure you can imagine some of the ways this could potentially be abused.”
Using a colleague’s password-locked iPhone 4S, he was able to command Siri to write an email, send a text and potentially manipulate its calendar.
Cluley deemed Apple’s settings a security blunder that left “egg on its face”, however others disagreed, pointing out that setting falls well short of a flaw since most consumers do not even use a passcode.
“This is a non-issue,” NSS Labs chief research officer Bob Walder told CSO.com.au. “A simple setting disables the ability to use Siri without unlocking the phone.”
“Most consumers don't even use a passcode. The obvious default setting for Siri in this case is Off - I don't think you can fault Apple.”
Still, according to Cluley, the default setting revealed Apple’s mindset when designing the system.
“What’s disappointing to me though is that Apple had a clear choice here,” said Cluley.
“They could have chosen to implement Siri securely, but instead they decided to default to a mode which is more about impressing your buddies than securing your calendar and email system.”
The vendor has previously targeted Apple’s implementation of other security features, such as encryption.
Sophos’s researchers tested and confirmed that iOS encryption was only partial. Connecting an iPhone 3GS to an Ubuntu machine would allow read and write access to parts of the phone that contain user generated content, such as photos, videos, podcasts, movies and recordings.
Contributors to the Full Disclosure list noted that it could be pose a problem for some organisations, depending on the company’s security policy.
Sophos’ senior security adviser Chester Wisniewski recently tested whether Apple had changed this in iOS 5, however nothing had changed.
“It appears to behave the same. I upgraded my iPad to iOS 5 and can access all my movies, photos, music etc without entering a password. I don’t have an iPhone handy, but I can’t imagine it would behave differently,” he told CSO Australia.