The iPhone lockscreen hole that we can’t reproduce

Last week, Computerworld reported a security hole in the iPhone lockscreen.

The hole wasn’t catastrophic, but when you consider that “locked” is supposed to mean locked, you shouldn’t be able to change any configuration settings on someone else’s phone without unlocking it first.

The ComputerWorld “hack” involves popping up Siri at the lockscreen by holding down the Home button for a second or so, and then saying the words, “Cellular data”. (In the UK, at least, you can also say “Mobile data”.)

Siri then asks if you’d like to turn data off, thus effectively cutting the phone off from the network.

This doesn’t sound like the end of the world from a security point of view, and perhaps it isn’t, but you can see how the feature could be abused.

By siriptiously (sorry, surreptitiously) turning off someone’s phone connection while they’re not looking, but leaving their phone apparently untouched, you could help an accomplice who is about to try some sort of social engineering attack against the victim that would otherwise attract their attention with an unwanted verification call or a warning SMS.

Sure, you could steal or hide their phone, or even just turn off the ringer, with a similar result, but a missing phone might be noticed, so to speak, and even silenced phones usually vibrate when they want attention.

According to Computerworld, the bug exists even on the latest iOS 10.3.2 release – that’s what we’re running, so we put it to the test.

Does it work?

The good news is that we couldn’t replicate Computerworld’s hack.

We were able to activate Siri, to issue the peremptory words, “Mobile data”, and to get directly at a screen offering to turn it off.

But when we told Siri to turn it off, he immediately said (our Siri is a bloke, don’t know why), “You’ll need to unlock your iPhone first,” and popped up the passcode screen to unlock the phone, as you would expect:

What to do?

The bad news is that you can never be quite sure which voice commands will, and which won’t, work when your device is locked – unless you can figure out and try all of them.

So, whether this is a bug or not, we strongly recommend that you turn Siri off at the lockscreen – after all, it’s not called the lock screen for nothing.

To stop Siri listening in at the lockscreen, go to Settings | Siri and turn off Access When Locked.

Better yet, unless you really don’t like touching your phone, consider turning Siri off altogether, which has the handy side-effect of telling Apple to discard all the pattern-matching voice data it’s collected from you so far:

While you’re about it, review the other iOS features you’ve enabled on the lockscreen, in case you’re allowing more access than you thought.

It’s bad enough that Apple no longer allows you to block access to the camera app when your phone is locked; we recommend that you add as few additional lockscreen options as you can.

Go to Settings | Touch ID & Passocde and look at the Allow access when locked section:

(We’ve got Siri turned off altogether; if he/she is enabled, you’ll see him/her on in this list, too.)

Remember, when it comes to your lockscreen, less is more.


from Naked Security – Sophos http://bit.ly/2twYtUN
via IFTTT

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s