A flaw in Apple’s virtual assistant enables dexterous hackers to gain access to an iOS device’s contacts and photos
Apple’s Siri can be used to bypass the password protection on iPhones by an unauthorised user, giving access to the user’s data.
A bug in the virtual assistant means a hacker can simply ask Siri the “who am I?” question to prompt it the display the owner’s name and number. From there the unauthorised user can simply call the iPhone and then tap the message icon that enables a new SMS message to be sent to in reply to a missed call from the iPhone lock screen.
The next step is to then tell the iPhone via Siri to “Turn on VoiceOVer” and then return to the message screen, double-tap the interface bar where the contact information is displayed at the same time as tapping on the on-screen keyboard. From there a hacker can click a button to add new photos and contacts which allows them to access all the contacts and photos on the iPhone.
Physical iPhone hacking
While the bug required physical access to an iPhone with Siri enabled on it, the flaw is still a rather significant hole in the normally robust security mechanisms put in place by Apple.
The YouTubers claim the bug affects iPhones and iPads running Apple’s iOS 8 or higher versions of the mobile operating system.
Given that iPhones are often used by members of the government and civil servants, were an iPhone to be left on a train, much like what happened to a laptop containing sensitive government information several years ago, it could lead to the contact data of members of government to get stolen and exploited by malicious actors.
Apple has yet to respond to the flaw but it is likely the flaw will be patched relatively rapidly.
This is not the first time security bypassing bugs have been discovered in Siri which allow iPhone lock screens to be bypassed without inputting a password.