iOS 7 Flaw Lets Anyone Use Locked iPhone

Apple's new mobile operating system, iOS 7, has a major security flaw that lets anyone hijack a locked iPhone to make calls, send text messages and emails and post updates on Twitter and Facebook.

This is possible because Siri, Apple's mobile personal-assistant software, is poorly configured, say two researchers from Campbell, Calif.-based security firm Cenzic.

"The weakness is directly within Siri and compromises iOS 7's ability to control common tasks that should be based on permissions," Tyler Rorabaugh, Cenzic's vice president of engineering, wrote in a company blog post.

Unauthorized users should not be able to do anything on locked mobile devices, except call 911.

Staffers in Tom's Guide's New York office were able to replicate Cenzic's findings, and used Siri to post Facebook status updates from locked iOS 7 phones.

MORE: 15 Best iOS 7 Apps

Cenzic posted a video on YouTube showing the researchers who discovered the flaw, Abhishek Rahirikar and Michael Yuen, posting status updates on Rorabaugh's Facebook page using his phone.

Some of the same flaws exist in iOS 6 as well, Rorabaugh wrote.

"By, default Siri is turned on even after the iPhone is locked," Rahirikar told Tom's Guide in an email. "It can still post on  things like Twitter [and] Facebook, [and] it can be used to view calling history.

"Access controls in Siri are not comprehensive," Rahirikar said. "You need to turn Off Siri completely, or turn off Siri when the phone is locked, using [an] iPhone setting. But by default it is turned on and vulnerable."

Cenzic recommended disabling Siri entirely until Apple patches the flaw.

Follow us @tomsguide, on Facebook and on Google+.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.