Skip to main content

iOS 9 Flaw Lets Siri Spill Your Photos

UPDATE: This post has been updated to reflect that a patch for the vulnerability was released in iOS 9.0.2.

It may be convenient to access Siri without manually unlocking your iPhone or iPad, but the digital personal assistant will sometimes cough up too much of your personal information to anyone who asks for it. That's unfortunately still true under iOS 9's default settings, which grant access to your photos and contact list to anyone who can trigger Siri on a locked device.

The vulnerability, which apparently went unpatched in the recent iOS 9.0.1 update, was discovered by Jose Rodriguez, a Spaniard with a penchant for finding out how to bypass iOS lockscreens. This latest method involves repeatedly entering incorrect unlock passcodes, then activating Siri in the middle of entering another incorrect passcode.

MORE: Apple iOS 9 Review

Rodriguez — who has been revealing lockscreen flaws in every major version of iOS dating back to 5.1 — demonstrated on YouTube how he was able to get Siri to hand over your photos and contacts. We weren't able to replicate his method at Tom's Guide, but others have been able to. It doesn't reveal all of your device's data, but if you want to keep your photos private, it's a big concern.

Users can secure their devices from attackers using this passcode bypass by disabling access to Siri from the lockscreen. This can be done by unchecking a feature in the Settings app.

UPDATE: on September 30, Apple addressed this vulnerability with iOS 9.0.2, which it says restricts the "options offered on a locked device."

How to Stop Siri from Being Accessed on a Locked iPhone

1. In the Settings app, select Touch ID & Passcode.

2. Enter your passcode to access the next screen.

3. Scroll down to Allow access when locked, and toggle off Siri's access.