Flaw In iOS 7 Lets Attackers Take Control Of Users' iPhones
SIRI vulnerability enables attackers to act on user's behalf -- even when iPhone is locked
A security flaw in Apple's iOS 7 operating system could enable unauthorized users to send messages or make social network postings on an iPhone owner's behalf -- even when the phone is locked, researchers reported Friday.
The vulnerability, which was disclosed Friday by researchers at application security vendor Cenzic, enables an attacker or prankster to use the SIRI personal voice assistant to crack a locked iPhone and execute tasks that would normally require user permission, such as sending email or posting to Facebook.
More Security Insights
- Forrester Study: The Total Economic Impact of VMware View
- Securing Executives and Highly Sensitive Documents of Corporations Globally
In a blog describing the iPhone flaw, the Cenzic researchers said they were able to use a locked iPhone belonging to a third party to send email and texts, make calls, access contact information, and make updates to Facebook and Twitter, all with the user's accounts and without the user's knowledge.
"Imagine someone stealing your iPhone and -- without knowing your passcode – sending messages, email, or social network postings to your friends and contacts, posing as you," the blog says.
The researchers posted a YouTube video demonstrating the ability to use SIRI on a third party's locked iPhone to make an update on the third party's Facebook page. They also reported the ability to collect and steal the personal information of contacts stored in the iPhone.
The flaw also works on some tasks under iOS 6, the researchers say. End users should take care not to let others use their iPhones, and may want to consider disabling SIRI until Apple fixes the problem, the blog states.
Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.