• TV
  • MOVIES
  • MUSIC
  • SHOWBIZ
  • SOAPS
  • GAMING
  • TECH
  • FORUMS
  • Follow
    • Follow
    • facebook
    • twitter
    • google+
    • instagram
    • youtube
Hearst Corporation
  • TV
  • MOVIES
  • MUSIC
  • SHOWBIZ
  • SOAPS
  • GAMING
  • TECH
  • FORUMS
Forums
  • Register
  • Login
  • Forums
  • Gadgets
  • Mobile Phones
iPhone 4s Security vulnerability
<<
<
1 of 2
>>
>
*Joe*
25-10-2011
I did search and couldn't find a thread on this. Those of you who have a iPhone 4s might want to change your default security settings.

If you normally have a passcode set on your iPhone, you can still activate Siri to send text, emails etc... even when your phone is locked, and without having to enter your passcode

http://www.youtube.com/watch?v=aS2u6ulzdsI

Am surprised this hasn't been mentioned before. Worth watching out for.
davethorp
25-10-2011
It's not really a security vulnerability especially as there is a handy option to turn Siri off if the pass code lock is set in the pass code lock settings. Possibly the only issue is that this option probably should default to off though I'm sure that may come in iOS 5.0.1

Plus I can't say I'm too worried about someone trying to put something in my calendar or write a note if they get hold of my phone
*Joe*
26-10-2011
Originally Posted by davethorp:
“Plus I can't say I'm too worried about someone trying to put something in my calendar or write a note if they get hold of my phone”

I would say that being able to send SMS and emails from a locked phone is quite a big vulnerability, especially for corporate users. It defeats the purpose of locking the phone!
Roush
26-10-2011
There's an option to disable Siri when the phone is passcode locked, so what's the problem?

Surely it would only be a security concern if you couldn't turn it off when the phone is passcode locked? But, as you can turn it off in that situation I don't see a problem.
flagpole
26-10-2011
Originally Posted by Roush:
“There's an option to disable Siri when the phone is passcode locked, so what's the problem?

Surely it would only be a security concern if you couldn't turn it off when the phone is passcode locked? But, as you can turn it off in that situation I don't see a problem.”

it's the fact that the default is on. if you think that this issue is a potential security threat then surely you can see that the default position is pertinent.

as in that mitigating it requires someone to read about it on a forum like this and then make a judgement as to whether they want to disable it on security grounds rather than allow it on functionality grounds. generally you start with all the security features enabled and allow the user to make an informed choice about disabling them.

I'm sure this will be changed though.
*Joe*
26-10-2011
Originally Posted by Roush:
“There's an option to disable Siri when the phone is passcode locked, so what's the problem?

Surely it would only be a security concern if you couldn't turn it off when the phone is passcode locked? But, as you can turn it off in that situation I don't see a problem.”

Did you know it was a problem until you read this thread?? Possibly not, therefore would you have gone out of your way to change the default setting to off? - That is why it is a problem.

How many users would change it from the default setting - none probably unless they were made aware of it, hence the reason for me starting this thread
Thine Wonk
26-10-2011
OP you need to use the right terminology, it's NOT a security vulnerability. There is an option to turn on or off a pin, would you say having it turned off means there is a security vulnerability in IOS? of course not.

It's something the user should be aware of, but it's absolutely not a security vulnerability.
davethorp
26-10-2011
Originally Posted by *Joe*:
“I would say that being able to send SMS and emails from a locked phone is quite a big vulnerability, especially for corporate users. It defeats the purpose of locking the phone!”

As I and others have mentioned the ability to use Siri from a locked phone can very easily be turned off so it's not a security vulnerability but a feature. You'll be claiming the fact that pass code lock is not enabled by default is a security vulnerability next

Edit didn't read all replies to this thread before beginning this reply so missed Thine Wonk making the exact same point
psionic
26-10-2011
There's a few bugs which Apple need to address urgently in iOS 5. Apparently you can bypass the lock screen on the iPad 2 by deft handling of the magnetic smart cover.
ACU
26-10-2011
I can see how the OP can class it as a security flaw. However I think its just a cock up...a pretty major one at that. Mainly because the vast majority of apple users wont mess around with the settings. However it is something that can easily be fixed with an update.
IslandNiles
26-10-2011
Remember that passcode lock is not enabled by default. To switch it on, you have to go to the very screen that contains the other options relating to passcode lock, presumably including the Siri option.
Stiggles
26-10-2011
Originally Posted by davethorp:
“As I and others have mentioned the ability to use Siri from a locked phone can very easily be turned off so it's not a security vulnerability but a feature. You'll be claiming the fact that pass code lock is not enabled by default is a security vulnerability next

Edit didn't read all replies to this thread before beginning this reply so missed Thine Wonk making the exact same point”

When this happened with Windows Vista it was seen as a security issue. This is no different.
Inkblot
26-10-2011
If this vulnerability can only be exploited by someone stealing your phone, shouldn't stopping people stealing phones be the priority?
flagpole
26-10-2011
Originally Posted by Inkblot:
“If this vulnerability can only be exploited by someone stealing your phone, shouldn't stopping people stealing phones be the priority?”

you've not got your apple head on.
Thine Wonk
26-10-2011
IETF RFC 2828 define vulnerability as:
A flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy

Seeing as the pin on the phone is optional, and seeing as the option to enable siri on the lockscreen or not, I would consider this NOT to be a security vulnerability.

It is an optional security feature which can be enabled if the user is concerned about simple physical unauthorised access.

The feature can be enabled or disabled to reflect the level of security the user requires. There is no weakness in the design or implementation, the features can clearly be turned on or off and by default are off.

I don't bother with a pin on my phone because I keep it in my pocket and never leave it on a desk and walk away. Other people I know at work leave their phones on their desks and then go off to meetings, leaving their colleagues to silence it when it rings etc, annoying!!!
flagpole
26-10-2011
Originally Posted by Thine Wonk:
“IETF RFC 2828 define vulnerability as:
A flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy

Seeing as the pin on the phone is optional, and seeing as the option to enable siri on the lockscreen or not, I would consider this NOT to be a security vulnerability.

It is an optional security feature which can be enabled if the user is concerned about simple physical unauthorised access.

The feature can be enabled or disabled to reflect the level of security the user requires. There is no weakness in the design or implementation, the features can clearly be turned on or off and by default are off.

I don't bother with a pin on my phone because I keep it in my pocket and never leave it on a desk and walk away. Other people I know at work leave their phones on their desks and then go off to meetings, leaving their colleagues to silence it when it rings etc, annoying!!!”

that is a somewhat contrived explanation. if windows shipped with DEP, ASLR, firewall, UAC and driver signing all switched off by default you could equally well apply your arguments and definitions to that not being a vulnerability, it's a security feature that is not implemented by default.

and that would be wrong. the obvious thing to do in all these cases is to enable the security feature by default and allow the informed user to turn it off if they wish. you could even prompt the user....
IvanIV
26-10-2011
How does this work? Can somebody next to me tell that electronic woman in the phone to do something, like send an email to my boss saying he's an anchor or is some validation necessary?
IslandNiles
26-10-2011
Originally Posted by flagpole:
“that is a somewhat contrived explanation. if windows shipped with DEP, ASLR, firewall, UAC and driver signing all switched off by default you could equally well apply your arguments and definitions to that not being a vulnerability, it's a security feature that is not implemented by default.

and that would be wrong. the obvious thing to do in all these cases is to enable the security feature by default and allow the informed user to turn it off if they wish. you could even prompt the user....”

A reasonable point, but your logic seems to suggest that you would want passcode lock enabled by default.

Originally Posted by IvanIV:
“How does this work? Can somebody next to me tell that electronic woman in the phone to do something, like send an email to my boss saying he's an anchor or is some validation necessary? ”

The simple answer to your question is yes, you could do that.

To explain in slightly more detail though, the passcode lock feature is not enabled by default. To enable it, you have to go into a screen which also has options for whether Siri (voice control on older phones) will be available whilst the screen is locked. The default position is on. This isn't new with the 4S, but of course Siri allows you to control much more of the phone than the old voice control did.
Thine Wonk
26-10-2011
Originally Posted by IslandNiles:
“A reasonable point, but your logic seems to suggest that you would want passcode lock enabled by default.
”

Exactly, a passcode lock is something that doesn't come on Android by default, and that a lot of people don't want. It's not a security vulnerability not to have it on, it's an optional feature, as is Siri commands on the lock screen.
alanwarwic
26-10-2011
I thought it only goes to the last used APP which says it's a bug.

Not quite intuitive.
davethorp
26-10-2011
Originally Posted by alanwarwic:
“I thought it only goes to the last used APP which says it's a bug.

Not quite intuitive.”

Think that's the smart cover glitch on iPad 2
psionic
27-10-2011
Originally Posted by davethorp:
“Think that's the smart cover glitch on iPad 2”

Yep. Think iOS 5.01 will be coming soon.
http://9to5mac.com/2011/10/20/anyone...o-your-ipad-2/
Smerph
27-10-2011
Default security settings? Erm no.

Firstly, Siri isn't enabled by default.
Secondly, Siri won't appear on the password lock sceen unless you enable it.
flagpole
27-10-2011
Originally Posted by Thine Wonk:
“Exactly, a passcode lock is something that doesn't come on Android by default, and that a lot of people don't want. It's not a security vulnerability not to have it on, it's an optional feature, as is Siri commands on the lock screen.”

it's funny trying to explain things around the jobsian logic.

the issue is that if someone enables pin it should not be beholden to them to riddle that siri will enable a bypass. i simple on screen prompt or changing of the default options would be fine.
Rich2k
27-10-2011
Originally Posted by Smerph:
“Default security settings? Erm no.

Firstly, Siri isn't enabled by default.
Secondly, Siri won't appear on the password lock sceen unless you enable it.”

Exactly and...

Thirdly iOS doesn't have a passcode lock enabled by default either.
<<
<
1 of 2
>>
>
VIEW DESKTOP SITE TOP

JOIN US HERE

  • Facebook
  • Twitter

Hearst Corporation

Hearst Corporation

DIGITAL SPY, PART OF THE HEARST UK ENTERTAINMENT NETWORK

© 2015 Hearst Magazines UK is the trading name of the National Magazine Company Ltd, 72 Broadwick Street, London, W1F 9EP. Registered in England 112955. All rights reserved.

  • Terms & Conditions
  • Privacy Policy
  • Cookie Policy
  • Complaints
  • Site Map