Skip to content
Naked Security Naked Security

How Siri leaks your private iPhone messages, and how to stop her

A Brazilian Mac magazine found how to bypass your iPhone lockscreen via Siri - so here's how to stop her reading messages she shouldn't.

A Brazilian Mac magazine – it’s called MacMagazine – claims to have uncovered a security hole in iOS 11.
The bug could allow a crook to access private messages right from the lockscreen, using a “hack” that is going to make you groan with a sense of déjà vu when you learn that it is no more complicated than saying…
…”Hey, Siri.”

If you’ve followed our recommendations over the years, you will long ago have banned as much as possible from your lockscreen.
After all, it’s meant to be a LOCK screen that LOCKS your phone, not merely a cautious front end that gives you partial access to some features of some apps.
We accept that there are regulatory reasons why a lockscreen isn’t allowed to lock out absolutely everything: in an crisis, you want to be able to dial 112, 911, 999, 000 or whatever the relevant emergency number is without fumbling your way through an unlock code first.
But most people like their phone to display a clock when it’s locked – a feature that’s admittedly very convenient – and once you have made one exception, it’s easy to get sucked into a maze of other lockscreen exceptions, including allowing alarms to go off, accessing the camera, and popping up notifications about messages that are worth unlocking your phone to read.
Of course, the more loopholes you have on your lockscreen, the more likely someone will figure out how to sneak through one of them, and that’s the story here.
We haven’t tested out the details of this new bug ourselves, but the security hole seems to open up if you have:

  • Siri turned on.
  • Siri enabled on your lockscreen.
  • Siri set to activate when you say “Hey, Siri.”
  • One or more messaging apps set to Allow Notifications.
  • Those apps set to Show Previews When Unlocked.

We suspect that this is a common configuration – notifications on the lockscreen are only supposed to point out that you have messages to look at, so you’re not leaking any actual message content while your phone is locked.
Setting Show Previews When Unlocked is another convenience that seems uncontroversial – sure, you’ll see private information that’s specific to an app without switching to the app itself, but only when your phone’s unlocked.
Except that MacMagazine tried simply asking Siri to read out notifications from the lockscreen, and she obliged for apps such as WhatsApp and Skype even with the Show Previews option set to “When unlocked.”
(Apparently, Apple’s own Messages app, the default iPhone SMS application, isn’t affected by this bug.)

What to do?

Apple famously gives release dates for its security updates by actually releasing them, hiding behind its official policy that “for our customers’ protection, Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available.”
In this case, Apple has apparently gone slightly off-piste by admitting to the bug and saying it’s working on a fix – but that’s all we know so far.
So, in the meantime, here are some workarounds.
(Note that we suggest using some or all of these settings anyway, even after this bug is patched, on the grounds that when it comes to lockscreen functionality, less is always more.)

  • Turn off Siri altogether. Try living without Siri – she’s been implicated in several security bypass bugs before, so why take the risk unless you really need Apple’s voice recognition services?

    Go to SettingsSiri & SearchASK SIRI. Turn off the options Listen for “Hey Siri” and Press Home for Siri.

  • Turn off Siri on the lockscreen. Why give anyone who picks up your phone a chance to talk to it and be obeyed by Siri, no matter how inconsequentially?

    Go to SettingsTouch ID & PasscodeALLOW ACCESS WHEN LOCKED. Turn off the option Siri. (Note: if Siri is turned off altogether, as described above, the “Siri” option doesn’t appear in this list because it’s redundant.)

  • Turn off Notification Previews altogether. You’ll be able to see that you have messages, but only by opening the relevant app’s screen will they be visible. Apparently, this setting correctly stops Siri from reading out messages at the lockscreen.

    Go to SettingsNotificationsShow Previews. Choose the option Never.

You can also control notifications for individual apps by tapping the app’s name on the SettingsNotifications screen.
For each app – here, we chose Skype – you can block notifications entirely, which leaves you with a blank configuration page:

If you turn notifications on, you’ll see a range of additional options, including whether to show alerts on the lockscreen, and whether to allow Previews:

If you want to strip down your lockscreen baggage, minimise the number of apps that can interact with the lockscreen in the first place.
If you want to keep Siri out of your messages while you aren’t actually in the app, it seems that setting Show Previews to Never will achieve that result.
(We’d love to confirm this for you – but we’ve got Siri turned off altogether, and we aren’t inclined to turn her on to see what happens!)

1 Comment

On my “old” Apple 5c with only 8Gb of RAM I try to run a clean ship and delete all my emails and then empty the email trashcan so nothing remains of any of the emails I have received.. or so I thought. If I ask ask Siri to read my last emails she finds 25 of the latest (erased) emails. It doesn’t worry me; but for some it could represent a dangerous loss of privacy in the wrong hands as Siri will respond to anyone!
I hope all this makes sense and that someone in your organisation considers it a valid
security risk?


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!