Sign in with
Sign up | Sign in

iOS 7 Flaw Lets Anyone Use Locked iPhone

By - Source: Tom's Guide US | B 21 comments

Apple's new mobile operating system, iOS 7, has a major security flaw that lets anyone hijack a locked iPhone to make calls, send text messages and emails and post updates on Twitter and Facebook.

This is possible because Siri, Apple's mobile personal-assistant software, is poorly configured, say two researchers from Campbell, Calif.-based security firm Cenzic.

"The weakness is directly within Siri and compromises iOS 7's ability to control common tasks that should be based on permissions," Tyler Rorabaugh, Cenzic's vice president of engineering, wrote in a company blog post.

Unauthorized users should not be able to do anything on locked mobile devices, except call 911.

Staffers in Tom's Guide's New York office were able to replicate Cenzic's findings, and used Siri to post Facebook status updates from locked iOS 7 phones.

MORE: 15 Best iOS 7 Apps

Cenzic posted a video on YouTube showing the researchers who discovered the flaw, Abhishek Rahirikar and Michael Yuen, posting status updates on Rorabaugh's Facebook page using his phone.

Using Siri to bypass iPhone lockscreen

Some of the same flaws exist in iOS 6 as well, Rorabaugh wrote.

"By, default Siri is turned on even after the iPhone is locked," Rahirikar told Tom's Guide in an email. "It can still post on  things like Twitter [and] Facebook, [and] it can be used to view calling history.

"Access controls in Siri are not comprehensive," Rahirikar said. "You need to turn Off Siri completely, or turn off Siri when the phone is locked, using [an] iPhone setting. But by default it is turned on and vulnerable."

Cenzic recommended disabling Siri entirely until Apple patches the flaw.

Follow us @tomsguide, on Facebook and on Google+.

Display 21 Comments.
This thread is closed for comments
Top Comments
  • 14 Hide
    wopr11 , September 20, 2013 4:08 PM
    Its not an iOS 7 Flaw - those users are not holding the phone right.
    Apple will send rubber bands to all those users to solve the problem.
  • 14 Hide
    derekullo , September 20, 2013 4:50 PM
    User: Siri, I would like to disable Siri.
    Siri: I'm sorry, Dave. I'm afraid I can't do that.
    User: O S**T
  • 13 Hide
    house70 , September 20, 2013 3:39 PM
    iOS is such an easy target, after one day the flaws start to surface. I guess the ones that can't have the fancy Siri (because Apple said so, not because their phones were not capable) are better off. The ones that can't even upgrade to iOS 7 are of course the winners.
    A bunch of people at work were helpless today (and kinda useless, too), because their iToys were giving them fits during/after the upgrade. Also, missing features everywhere, according to their respective hardware versions. Apple gives everybody the iOS 7 version in the 'about' section, but under the surface lurk all kinds of crippled versions. Fragmentation at it's finest concealment.
Other Comments
  • 10 Hide
    RedPanda98 , September 20, 2013 3:27 PM
    This makes me happy
  • 13 Hide
    house70 , September 20, 2013 3:39 PM
    iOS is such an easy target, after one day the flaws start to surface. I guess the ones that can't have the fancy Siri (because Apple said so, not because their phones were not capable) are better off. The ones that can't even upgrade to iOS 7 are of course the winners.
    A bunch of people at work were helpless today (and kinda useless, too), because their iToys were giving them fits during/after the upgrade. Also, missing features everywhere, according to their respective hardware versions. Apple gives everybody the iOS 7 version in the 'about' section, but under the surface lurk all kinds of crippled versions. Fragmentation at it's finest concealment.
  • 14 Hide
    wopr11 , September 20, 2013 4:08 PM
    Its not an iOS 7 Flaw - those users are not holding the phone right.
    Apple will send rubber bands to all those users to solve the problem.
  • -2 Hide
    weierstrass , September 20, 2013 4:39 PM
    I just tried it, Siri still asks of the password if you try more critical things, for example accessing photos. Still I would like it to also block more basic stuff like posting to Facebook.
  • 14 Hide
    derekullo , September 20, 2013 4:50 PM
    User: Siri, I would like to disable Siri.
    Siri: I'm sorry, Dave. I'm afraid I can't do that.
    User: O S**T
  • 1 Hide
    wopr11 , September 20, 2013 4:59 PM
    Its not an iOS 7 Flaw - those users are not holding the phone right.
    Apple will send rubber bands to all those users to solve the problem.
  • 4 Hide
    nolarrow , September 20, 2013 6:15 PM
    1. Grab co-workers phone
    2. Post something negative about the boss on linkedin
    3. ........
    4. Profit?
  • 9 Hide
    jimmysmitty , September 20, 2013 6:47 PM
    Quote:
    Seeing the fanboys slam Apple is amusing since Android has more security holes than Swiss cheese.


    Actually Apples products are known to be very insecure. At PWN2OWN they are normally the first systems to be cracked, especially Safari.

    Android is better, but not by much TBH. What we need is a more Windows OS based phone to include AD style control. That would be nice.
  • 1 Hide
    Azn Cracker , September 20, 2013 10:42 PM
    windows phone ftw!!!!
  • -7 Hide
    hotroderx , September 21, 2013 12:30 AM
    I think its funny all the hate Apple products get on these forums. The way some people act you would seriously think there foaming at the mouth as they type there comments.

    One truly has to wonder how many of these people have given a Apple product a serious try?

    I also wonder how many of them buy into the hype that Google is some kind of saint company that does no wrong.

    The bottom line is all cell phone platforms have there pros and cons.

    As far as the company's them self's go, if you think Google isn't as dirty as Microsoft and Apple your only kidding your self. The thing is Google is better at hiding there dirty secrets then the competition.
  • -6 Hide
    hotroderx , September 21, 2013 12:34 AM
    I think its funny all the hate Apple products get on these forums. The way some people act you would seriously think there foaming at the mouth as they type there comments.

    One truly has to wonder how many of these people have given a Apple product a serious try?

    I also wonder how many of them buy into the hype that Google is some kind of saint company that does no wrong.

    The bottom line is all cell phone platforms have there pros and cons.

    As far as the company's them self's go, if you think Google isn't as dirty as Microsoft and Apple your only kidding your self. The thing is Google is better at hiding there dirty secrets then the competition.
  • 3 Hide
    doive1231 , September 21, 2013 1:11 AM
    Man, iOS 7 has made my ipad mini slow. Typing is laborious.
  • 3 Hide
    bryonhowley , September 21, 2013 3:43 AM
    @otacon , September 20, 2013 5:18 PM
    Seeing the fanboys slam Apple is amusing since Android has more security holes than Swiss cheese.

    And yet when any of my Android devices are locked they are really locked and the only thing that can be done is to unlock the device or 911 period the end.
  • 2 Hide
    keither5150 , September 21, 2013 8:11 AM
    ios seems to more like Android every day (good thing). A co worker was showing me all the new things that ios 7 can do. As I looked at my Note 2 saying got it, got it, got it,,,, have that too. It is weird that a company that sues for sliding to unlock blatantly rips off great features from Android. I guess imitation is the highest form of flattery. I am totally ok with the competition copying great features. Apple needs to stop the needless suing of the competition before Samsung really sticks it to them.

    Attention ios users..... welcome to live wallpaper (you won't use it because of the iphones small battery, GS3 users have the same problem), welcome to real multitasking, better call management, better camera and gallery management, nearby sharing ( not really useful but the kids may like it)
    Apple seems to think that they can turn something 90 degrees and all of a sudden..... they invented it.

    I would be okay with Apple if they didn't sue for such silly things.
  • -3 Hide
    TammyHi17765516 , September 21, 2013 1:23 PM
    Only seriously interested people will be warmly welcomed,Thanks,,you have to work using a computer and internet.if you can do that and dedicate some time each day then you can do this with no problem. I have been working with this for a month and have made over $17,000 already. let me know if you need more here you go.
    ------------->>> http://ddp.net/blue48.amp
  • -1 Hide
    flong777 , September 22, 2013 3:09 AM
    Wow this is the third negative article about the iPhone I have read today on Tom's Hardware. What is it with you guys, do you just hate Apple?

    I have IOS7 and yes Siri has limited function when the phone is locked, but hell it doesn't make the phone vulnerable. In fact, if I forget to open my phone and I ask Siri to make a call or something else EVERY TIME Siri responds tha I first have to enter the security code. I don't have a Twitter account or a Facebook account but Oh the horror if someone can post on one of those accounts through a locked phone (which I doubt).

    I mean seriously, this article is just silly. It makes it sound like there is some serious flaw in the iPhone's security and when you read it we find out that someone might post to Twitter on a locked phone. OMG, could this article be more stupid????

    EVERY function I have tried to use on the phone with Siri when it is locked would NOT work until the phone was unlocked and so I seriously doubt the veracity of this article. And BTW, if you are going to post to Twitter on a locked phone, just how would you type it? You could use Siri's voice command theoretically, but as I said, I doubt that will work.

    While agree that unauthorized users should not be able to use a locked phone, this article is still just silly. If Twitter access is so earth shaking, the author should have explained some specific examples of "why" and given some real life factual examples of "how."
  • 0 Hide
    xombie2000 , September 22, 2013 7:51 AM
    IOS 7 users - Settings>general>pass code lock> toggle Siri off

    TG did you repost this or do the research? I figured this one out in less than 1 minute...
  • 0 Hide
    pnattanmai , September 23, 2013 10:21 AM
    @ flong777 : Its not just twitter.. it can send messages and emails too. So it is kind of a big deal for iPhone users.
    @ xombie2000 :D o you know what needs to be done for iOS 6? This flaw exists for iOS 6 too.
  • 0 Hide
    falcompsx , September 23, 2013 10:43 AM
    Its not that hard to just disable Siri on the lock screen. That being said, disabled should be the default setting. Its not really a security problem, as its an option you can turn on and off, just the default setting is not the most secure and some users may not know to check it before assuming their locked phone has all access disabled.
Display more comments
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter