Siri, the voice-activated personal assistant on the new iPhone 4S, can look up restaurant menus for you, calculate the number of inches in a half mile, tell you the population of New Jersey, even let you know if it will rain this weekend in any city in the world. Unfortunately, Siri's courtesy is not limited to her owner, and the convenience she provides actually leaves new iPhones open to attack.
Graham Cluley, senior technology consultant for the security firm Sophos, found that a person can speak a command into an iPhone 4S, even one that is locked and protected with a passcode, and Siri will provide an answer. Not only that, but, as Cluley demonstrated on a friend's iPhone, he was able to write an email and send a text message, all from the locked iPhone.
"If I had wanted to I could have meddled with his calendar appointments, too," Cluley wrote on a Sophos blog.
The security foul-up stems from the way the iPhone 4S configures its passcode settings. The iPhone 4S provides users with the option to passcode-protect phones; Siri, however, is a separate entity, and by default, users are able to access it even when their phones are locked.
Cluley expressed his disappointment in Apple for making Siri accessible on locked phones by default. "They [Apple] could have chosen to implement Siri securely, but instead they decided to default to a mode which is more about impressing your buddies than securing your calendar and email system," Cluley said.
Companies choosing default settings that compromise users' security is of particular importance lately; Amazon has received criticism, and questions from Congress, over news that Silk, the Web browser in its soon-to-be-released Kindle Fire tablet, will collect customers' browsing histories.
To prevent someone from accessing Siri and taking advantage of what you thought was your own private, personal assistant, go to the Passcode Lock screen and disable access to Siri on locked phones.