iOS 7 Flaw Lets Anyone Use Locked iPhone

Senior editor, security and privacy
Updated

Apple's new mobile operating system, iOS 7, has a major security flaw that lets anyone hijack a locked iPhone to make calls, send text messages and emails and post updates on Twitter and Facebook.

This is possible because Siri, Apple's mobile personal-assistant software, is poorly configured, say two researchers from Campbell, Calif.-based security firm Cenzic.

"The weakness is directly within Siri and compromises iOS 7's ability to control common tasks that should be based on permissions," Tyler Rorabaugh, Cenzic's vice president of engineering, wrote in a company blog post.

Unauthorized users should not be able to do anything on locked mobile devices, except call 911.

Staffers in Tom's Guide's New York office were able to replicate Cenzic's findings, and used Siri to post Facebook status updates from locked iOS 7 phones.

MORE: 15 Best iOS 7 Apps

Cenzic posted a video on YouTube showing the researchers who discovered the flaw, Abhishek Rahirikar and Michael Yuen, posting status updates on Rorabaugh's Facebook page using his phone.

Using Siri to bypass iPhone lockscreen

Some of the same flaws exist in iOS 6 as well, Rorabaugh wrote.

"By, default Siri is turned on even after the iPhone is locked," Rahirikar told Tom's Guide in an email. "It can still post on  things like Twitter [and] Facebook, [and] it can be used to view calling history.

"Access controls in Siri are not comprehensive," Rahirikar said. "You need to turn Off Siri completely, or turn off Siri when the phone is locked, using [an] iPhone setting. But by default it is turned on and vulnerable."

Cenzic recommended disabling Siri entirely until Apple patches the flaw.

Follow us @tomsguide, on Facebook and on Google+.