iOS 7 Flaw Lets Anyone Use Locked iPhone

Apple's new mobile operating system, iOS 7, has a major security flaw that lets anyone hijack a locked iPhone to make calls, send text messages and emails and post updates on Twitter and Facebook.

This is possible because Siri, Apple's mobile personal-assistant software, is poorly configured, say two researchers from Campbell, Calif.-based security firm Cenzic.

"The weakness is directly within Siri and compromises iOS 7's ability to control common tasks that should be based on permissions," Tyler Rorabaugh, Cenzic's vice president of engineering, wrote in a company blog post.

Unauthorized users should not be able to do anything on locked mobile devices, except call 911.

Staffers in Tom's Guide's New York office were able to replicate Cenzic's findings, and used Siri to post Facebook status updates from locked iOS 7 phones.

MORE: 15 Best iOS 7 Apps

Cenzic posted a video on YouTube showing the researchers who discovered the flaw, Abhishek Rahirikar and Michael Yuen, posting status updates on Rorabaugh's Facebook page using his phone.

Using Siri to bypass iPhone lockscreen

Some of the same flaws exist in iOS 6 as well, Rorabaugh wrote.

"By, default Siri is turned on even after the iPhone is locked," Rahirikar told Tom's Guide in an email. "It can still post on  things like Twitter [and] Facebook, [and] it can be used to view calling history.

"Access controls in Siri are not comprehensive," Rahirikar said. "You need to turn Off Siri completely, or turn off Siri when the phone is locked, using [an] iPhone setting. But by default it is turned on and vulnerable."

Cenzic recommended disabling Siri entirely until Apple patches the flaw.

Follow us @tomsguide, on Facebook and on Google+.

Create a new thread in the Streaming Video & TVs forum about this subject
This thread is closed for comments
20 comments
    Your comment
    Top Comments
  • wopr11
    Its not an iOS 7 Flaw - those users are not holding the phone right.
    Apple will send rubber bands to all those users to solve the problem.
    14
  • derekullo
    User: Siri, I would like to disable Siri.
    Siri: I'm sorry, Dave. I'm afraid I can't do that.
    User: O S**T
    14
  • house70
    iOS is such an easy target, after one day the flaws start to surface. I guess the ones that can't have the fancy Siri (because Apple said so, not because their phones were not capable) are better off. The ones that can't even upgrade to iOS 7 are of course the winners.
    A bunch of people at work were helpless today (and kinda useless, too), because their iToys were giving them fits during/after the upgrade. Also, missing features everywhere, according to their respective hardware versions. Apple gives everybody the iOS 7 version in the 'about' section, but under the surface lurk all kinds of crippled versions. Fragmentation at it's finest concealment.
    13
  • Other Comments
  • Anonymous
    This makes me happy
    10
  • house70
    iOS is such an easy target, after one day the flaws start to surface. I guess the ones that can't have the fancy Siri (because Apple said so, not because their phones were not capable) are better off. The ones that can't even upgrade to iOS 7 are of course the winners.
    A bunch of people at work were helpless today (and kinda useless, too), because their iToys were giving them fits during/after the upgrade. Also, missing features everywhere, according to their respective hardware versions. Apple gives everybody the iOS 7 version in the 'about' section, but under the surface lurk all kinds of crippled versions. Fragmentation at it's finest concealment.
    13
  • wopr11
    Its not an iOS 7 Flaw - those users are not holding the phone right.
    Apple will send rubber bands to all those users to solve the problem.
    14