Security vendor Trend Micro has sounded the alarm once again on a continuing issue with Apple’s Siri digital assistant that lets anyone with physical access to an iOS device to interact with it and easily extract data even if the device is locked.
In a blog post today, security researchers from the company said it takes just 30 seconds for someone to extract names, phone numbers, and calendar entries -- or even post to a connected social media account -- from a locked iOS device using simple voice commands.
“A locked device should not disclose the owner’s identity and contact information, as well those of the owner’s friends, family, and contacts,” the researchers wrote. “Siri bypasses this and provides detailed information and other functions on a locked mobile device.”
The Trend Micro blog lists several voice commands that someone could use to extract data from iOS devices to which they have physical access. For example, by simply asking, “what’s my name” or “what’s my email address,” an attacker could get the device to disclose the owners’ first and last name and email address.
Similarly, to make a call, post a Facebook status update on the device owner’s account or to carry out any task that the legitimate owner would be able to do, an individual only has to verbalize the appropriate commands.
Though a passcode is supposed to prevent strangers from accessing a locked iOS device, Siri offers a way around it and provides attackers with the same access that the device owner would have, the researchers wrote.
This is by far not the first time that someone has shown how to exploit a locked iOS device using Siri. As the researchers themselves have noted in their blog, discussions on this topic have been going on since Siri was first introduced.
So far at least, the company has not taken any measures to ensure that Siri cannot be exploited to bypass a locked device. Instead its response has been to recommend that users concerned about the issue simply disable Siri on the lockscreen, Trend Micro says.
The goal in bringing up the issue now is to remind iPhone and iPad users that more and more vectors are available to attackers for breaching Apple’s walled garden these days, says Tom Kellermann, chief cybersecurity officer at Trend Micro.
One example is recent research from French Network and Information Security Agency-ANSSI showing how Siri and other digital assistants like Google Now can be remotely controlled using electromagnetic waves. In a research paper, the ANSSI researchers described how someone using a cheap radio transmitter could issue commands to Siri and Google Now from up to 18 feet away.
“What the blog highlights is another amazing feature of the iOS ecosystem that can be turned against the user,” Kellermann says. “It is an ecosystem that has been the most secure and many believe it to be impenetrable. That has dramatically changed.”
In order to better protect personal information, Apple should consider implementing voice identity recognition or require some form of user authentication when someone attempts to use Siri to make calls, send texts post to Facebook, or carry out similar commands from a locked phone, Trend Micro says.