iOS 7.1 flaw lets hacker access contacts book
A security researcher was able to access an iPhone's contact book via Siri, even though the screen was locked and password-protected.
Apple criticised despite fixing iOS 7 and OS X flaws
As first reported by NBC, Egyptian programmer Sherif Hashim discovered the flaw when playing around with Siri on an iPhone running iOS 7.1.
The method of attack was startlingly simple, as Hashim's video on YouTube shows. Using the latest iPhone 5S, he tried to sign in five times with the TouchID fingerprint sensor, and - after being rejected each time - Apple's Siri voice assistant asks ‘What can I help you with?'. Hashim replies ‘contacts'.
Siri, correctly, asks for the user to authenticate so Hashim cancels and tries another tack, instructing Siri to ‘call' one of the phone's contacts.
Siri replies ‘with whom would you like to speak' and Hashim instructs the voice assistant to ‘call A'. All contacts listed under 'A' are shown but the researcher hits other - and views the entire phone book instead. He was then able to make a call to one of the contacts.
The researcher - who works as a neurosurgeon in his full-time job - advises users to disable Siri on the lock screen. Users can do this by going to 'Settings', 'Passcode' and then clicking on the option to disable Siri under the “allow access when locked” option.
This latest vulnerability comes days after researchers in Germany questioned the strength of iOS encryption on emails, and two weeks after the Cupertino hardware giant faced criticism for not patching vulnerabilities on iOS 7 and OS X at the same time.
The firm did recently fix 41 bugs by rolling out iOS 7.1, but that is unlikely to appease those that say the company - like many others in the consumer electronics space - prioritises practicality and design wins over security.
451 Research analyst Javvad Malik agrees that Apple hasn't got the balance right between usability and security.
“Apple has struggled with Siri in particular and being able to balance usability with security. I seem to recall the driver behind making Siri available to call even when the handset was locked was to allow people driving cars to be able to access functionality without taking their hands off the wheel and eyes off the road,” he told SCMagazineUK.com.
“When you get into these situations, you have to ask – what is the trade-off and correct balance?”
In defense of Apple, Malik says that white-listing what functions a service can and can't do is a ‘difficult task', made more problematic when regular operating system updates roll around.
“It;'s not easy and with so many things to check, it's easy to overlook and often happens especially if you've undergone a 'minor' change and only want to check main functionality.” A bigger worry, he said, was that users get little say in what is and what isn't available behind the lockscreen.
“That flexibility just isn't there for users. I see that as the more pressing issue here – not the fact that the contact list is accessible via Siri – but the fact that as an end user, I don't have much control over what can and can't be accessed under what conditions.”
Chris Boyd, analyst at Malwarebytes, believes, however, that the issue will only affect a small number of users, and perhaps those with too much time on their hands.
"This is another one of those relatively obscure iPhone hacks which will probably only truly impact a very small number of people,” he said in an email to SCMagazineUK.com.
“ There seem to have been a few of these lately, probably largely because people put iOS on a bit of a pedestal in security terms. It is hard to target with malware and through the iTunes store, so people tend to highlight slightly more tangential flaws. "
"If someone has physical access to your device and the time to do this, you may have larger problems on your hands than a few rogue phone calls."