Oct. 19, 2011 at 4:22 PM ET
Apple's new Siri iPhone 4S personal assistant may be a lot of fun, but she's far too willing to talk with strangers, says U.K.-based security research firm Sophos Ltd.
There's been plenty of talk about Siri's funny personality quirks, and how she will respond with sharp wit -- even when owners swear at her or talk dirty to her.
The problem is this same sense of wit wasn't applied to Siri's security settings, according to Sophos.
By default, Siri will take commands from anyone, even if the phone itself is in lock-down mode, researcher Graham Cluleysaid in a blog post. That means a stranger could pick up a locked iPhone 4S and send an e-mail, send a text message or many other things the rightful owner of the gadget can do -- without needing to enter a four-digit passcode.
As software developers are fond of saying, this isn't a bug, it's a feature.
Users who delve into their iPhone security settings will find an option, turned on by default, that says "allow access to Siri when locked with a passcode."
That's a poor security design choice, Cluley said.
"What's disappointing to me though is that Apple had a clear choice here," he said. "They could have chosen to implement Siri securely, but instead they decided to default to a mode which is more about impressing your buddies than securing your calendar and e-mail system," he wrote.
Apple didn’t immediately respond to requests for comment.
Tests at msnbc.com show Siri’s friendliness doesn’t extend to all iPhone features. She wouldn’t read out existing e-mails without prompting users for a passcode.
But msnbc.com's Rosa Golijan found a long list of iPhone features she could perform, even while the phone was locked. She was able to: look up contacts and retrieve full contact information, including nicknames; learn who sent text messages to the owner; make phone calls, including international calls; and turn alarms on and off.
Curiously, Siri refused to do other things: she wouldn't reveal recent call history, for example, or spit out directions. And most critically, when asked to unlock the phone, Siri said, "I'm sorry, I can't do that."
The selective behavior means Apple considered security when creating Siri's locked-phone permissions.
"But there's plenty you can do with the phone locked, and there's a lot of damage you can cause," Golijan said.
Users concerned about Siri being overly friendly can turn off the Siri security bypass in the Settings/General/Passcode Lock menu on their iPhones.
"Those of us who work in the security arena have often banged on about the importance of securing your smartphone with a password or passcode to prevent unauthorized access," Cluley said. "Most mobile phone manufacturers have recognized that as so many people use their smartphones to manage their diaries, their private communications and their social lives, it's good to have some form of security."
With reporting by Rosa Golijan.