This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

iOS 7.1 flaw lets hacker access contacts book

Share this article:

A security researcher was able to access an iPhone's contact book via Siri, even though the screen was locked and password-protected.

Apple criticised despite fixing iOS 7 and OS X flaws
Apple criticised despite fixing iOS 7 and OS X flaws

As first reported by NBC, Egyptian programmer Sherif Hashim discovered the flaw when playing around with Siri on an iPhone running iOS 7.1.

The method of attack was startlingly simple, as Hashim's video on YouTube shows. Using the latest iPhone 5S, he tried to sign in five times with the TouchID fingerprint sensor, and - after being rejected each time - Apple's Siri voice assistant asks ‘What can I help you with?'. Hashim replies ‘contacts'.


Siri, correctly, asks for the user to authenticate so Hashim cancels and tries another tack, instructing Siri to ‘call' one of the phone's contacts. 

 

Siri replies ‘with whom would you like to speak' and Hashim instructs the voice assistant to ‘call A'. All contacts listed under 'A' are shown but the researcher hits other - and views the entire phone book instead. He was then able to make a call to one of the contacts.


The researcher - who works as a neurosurgeon in his full-time job - advises users to disable Siri on the lock screen. Users can do this by going to 'Settings', 'Passcode' and then clicking on the option to disable Siri under the “allow access when locked” option.


This latest vulnerability comes days after researchers in Germany questioned the strength of iOS encryption on emails, and two weeks after the Cupertino hardware giant faced criticism for not patching vulnerabilities on iOS 7 and OS X at the same time.

The firm did recently fix 41 bugs by rolling out iOS 7.1, but that is unlikely to appease those that say the company - like many others in the consumer electronics space - prioritises practicality and design wins over security.

451 Research analyst Javvad Malik agrees that Apple hasn't got the balance right between usability and security.

“Apple has struggled with Siri in particular and being able to balance usability with security. I seem to recall the driver behind making Siri available to call even when the handset was locked was to allow people driving cars to be able to access functionality without taking their hands off the wheel and eyes off the road,” he told SCMagazineUK.com.

“When you get into these situations, you have to ask – what is the trade-off and correct balance?”

In defense of Apple, Malik says that white-listing what functions a service can and can't do is a ‘difficult task', made more problematic when regular operating system updates roll around.

“It;'s not easy and with so many things to check, it's easy to overlook and often happens especially if you've undergone a 'minor' change and only want to check main functionality.” A bigger worry, he said, was that users get little say in what is and what isn't available behind the lockscreen.

“That flexibility just isn't there for users. I see that as the more pressing issue here – not the fact that the contact list is accessible via Siri – but the fact that as an end user, I don't have much control over what can and can't be accessed under what conditions.”

Chris Boyd, analyst at Malwarebytes, believes, however, that the issue will only affect a small number of users, and perhaps those with too much time on their hands.

"This is another one of those relatively obscure iPhone hacks which will probably only truly impact a very small number of people,” he said in an email to SCMagazineUK.com.


“ There seem to have been a few of these lately, probably largely because people put iOS on a bit of a pedestal in security terms. It is hard to target with malware and through the iTunes store, so people tend to highlight slightly more tangential flaws. "


"If someone has physical access to your device and the time to do  this, you may have larger problems on your hands than a few rogue phone calls."

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

Defending Critical Infrastructure: only 6% of incidents malicious

Defending Critical Infrastructure: only 6% of incidents malicious

The weather, or even simple mis-configuration, are threats to critical infrastructure, but in an emergency, could government now run privatised utilities?

Scammers tap the power of Facebook to offer `free' iPhones a-plenty

Scammers tap the power of Facebook to offer ...

Free iPhone? More like an iPhoney...

FBI's facial and fingerprint super-database goes live

FBI's facial and fingerprint super-database goes live

The FBI: we have your facial and fingerprint templates on file...