Last week, Computerworld reported a security hole in the iPhone lock screen.
The hole wasn’t catastrophic, but when you consider that “locked” is supposed to mean locked, you shouldn’t be able to change any configuration settings on someone else’s phone without unlocking it first.
The ComputerWorld “hack” involves popping up Siri at the lock screen by holding down the Home button for a second or so, and then saying the words, “Cellular data”. (In the UK, at least, you can also say “Mobile data”.)
Siri then asks if you’d like to turn data off, thus effectively cutting the phone off from the network.
This doesn’t sound like the end of the world from a security point of view, and perhaps it isn’t, but you can see how the feature could be abused.
By siriptiously (sorry, surreptitiously) turning off someone’s phone connection while they’re not looking, but leaving their phone apparently untouched, you could help an accomplice who is about to try some sort of social engineering attack against the victim that would otherwise attract their attention with an unwanted verification call or a warning SMS.
Sure, you could steal or hide their phone, or even just turn off the ringer, with a similar result, but a missing phone might be noticed, so to speak, and even silenced phones usually vibrate when they want attention.
According to Computerworld, the bug exists even on the latest iOS 10.3.2 release – that’s what we’re running, so we put it to the test.
Does it work?
The good news is that we couldn’t replicate Computerworld’s hack.
We were able to activate Siri, to issue the peremptory words, “Mobile data”, and to get directly at a screen offering to turn it off.
But when we told Siri to turn it off, he immediately said (our Siri is a bloke, don’t know why), “You’ll need to unlock your iPhone first,” and popped up the passcode screen to unlock the phone, as you would expect:
What to do?
The bad news is that you can never be quite sure which voice commands will, and which won’t, work when your device is locked – unless you can figure out and try all of them.
So, whether this is a bug or not, we strongly recommend that you turn Siri off at the lock screen – after all, it’s not called the lock screen for nothing.
To stop Siri listening in at the lock screen, go to Settings | Siri and turn off Access When Locked.
Better yet, unless you really don’t like touching your phone, consider turning Siri off altogether, which has the handy side-effect of telling Apple to discard all the pattern-matching voice data it’s collected from you so far:
While you’re about it, review the other iOS features you’ve enabled on the lock screen, in case you’re allowing more access than you thought.
It’s bad enough that Apple no longer allows you to block access to the camera app when your phone is locked; we recommend that you add as few additional lock screen options as you can.
Go to Settings | Touch ID & Passocde and look at the Allow access when locked section:
(We’ve got Siri turned off altogether; if he/she is enabled, you’ll see him/her on in this list, too.)
Remember, when it comes to your lock screen, less is more.