Siri security flaw on iPhone 6s & 6s Plus grants access to Contacts and Photos without passcode
A newly discovered Siri search handling bug allows nefarious users to bypass passcode protected lock screens on iPhone 6s and 6s Plus handsets, granting easy access to Contacts and Photos data. The vulnerability is likely applicable only to a subset of devices, however.
Discovered by Jose Rodriguez, who found a similar lock screen flaw last September, the security hole appears effective only in certain scenarios. As presented in a proof-of-concept video, and confirmed by AppleInsider, the vulnerability applies to iPhone 6s and 6s Plus handsets configured to allow Siri app search integrations for Twitter, Contacts and Photos.
In the example provided, a user -- or nefarious agent -- invokes Siri via a long home button press, or iPhone's "Hey Siri" function, and asks the virtual assistant to conduct a Twitter search. If the search results contain actionable Contacts data, like an email address, a 3D Touch gesture can be used to call up a contextual menu with options to send mail and add or modify contact information.
From the 3D Touch Quick Actions menu, tapping on "Add to Existing Contact" opens an iPhone's Contacts list, which can then be used to access device Photos, if so configured.
Rodriguez told AppleInsider the 3D Touch loophole is also applicable to Siri results for WhatsApp friends list searches.
There are a few caveats to successfully leveraging the apparent security flaw. Specifically, a device owner must have previously granted Siri access to their Twitter account, photo library or related app either by conducting a Siri search themselves, or manually configuring service permissions in Settings. When a user first asks Siri to conduct a Twitter search, the assistant will seek permission to access that device's Twitter account, as indexed in device settings. In order to verify ownership, Siri requires account owner confirmation via passcode or Touch ID.
Those concerned about potential intrusions can disable Siri's Twitter integration by navigating to Settings > Twitter and switching off Siri. Doing the same in Settings > Privacy > Photos cuts Siri access to an iPhone's photo library. Alternatively, Siri itself can be completely disabled.
The workaround is active in Apple's latest iOS 9.3.1 update.
Discovered by Jose Rodriguez, who found a similar lock screen flaw last September, the security hole appears effective only in certain scenarios. As presented in a proof-of-concept video, and confirmed by AppleInsider, the vulnerability applies to iPhone 6s and 6s Plus handsets configured to allow Siri app search integrations for Twitter, Contacts and Photos.
In the example provided, a user -- or nefarious agent -- invokes Siri via a long home button press, or iPhone's "Hey Siri" function, and asks the virtual assistant to conduct a Twitter search. If the search results contain actionable Contacts data, like an email address, a 3D Touch gesture can be used to call up a contextual menu with options to send mail and add or modify contact information.
From the 3D Touch Quick Actions menu, tapping on "Add to Existing Contact" opens an iPhone's Contacts list, which can then be used to access device Photos, if so configured.
Rodriguez told AppleInsider the 3D Touch loophole is also applicable to Siri results for WhatsApp friends list searches.
There are a few caveats to successfully leveraging the apparent security flaw. Specifically, a device owner must have previously granted Siri access to their Twitter account, photo library or related app either by conducting a Siri search themselves, or manually configuring service permissions in Settings. When a user first asks Siri to conduct a Twitter search, the assistant will seek permission to access that device's Twitter account, as indexed in device settings. In order to verify ownership, Siri requires account owner confirmation via passcode or Touch ID.
Those concerned about potential intrusions can disable Siri's Twitter integration by navigating to Settings > Twitter and switching off Siri. Doing the same in Settings > Privacy > Photos cuts Siri access to an iPhone's photo library. Alternatively, Siri itself can be completely disabled.
The workaround is active in Apple's latest iOS 9.3.1 update.
Comments
Stifle it, Edith. The H2SO4 emanating from your keyboard is really bad.
---
no doubt. You'd think there'd be a flag to check when a call is made to access sensitive information. isSignedIn=TRUE/FALSE. The flag gets reset when the phone is wakened and put to sleep, set after a valid sign-in. Seems pretty basic to head off any convoluted scenario that might come up in the future.
What does it say here?
"A newly discovered Siri search handling bug allows nefarious users to bypass passcode protected lock screens"
Edit: oh, so the Twitter app must be installed too? I don't have that.
Like advertised in many Apple ads no-hands op, person ask Siri a question while cooking "messy hands" or other.
So imagine in the future that the iPhone could wake into action via the users "owner" voice Hands free.
Testing this iPhone on asking Siri any info get reply, person next to me asks Siri a question ... no response!