|
||||||||
iPhone 4s Security vulnerability |
![]() |
|
|
|
Thread Tools | Search this Thread |
|
|
#1 |
|
Forum Member
Join Date: Apr 2003
Location: Coventry
Posts: 3,007
|
iPhone 4s Security vulnerability
I did search and couldn't find a thread on this. Those of you who have a iPhone 4s might want to change your default security settings.
If you normally have a passcode set on your iPhone, you can still activate Siri to send text, emails etc... even when your phone is locked, and without having to enter your passcode http://www.youtube.com/watch?v=aS2u6ulzdsI Am surprised this hasn't been mentioned before. Worth watching out for. |
|
|
|
|
Please sign in or register to remove this advertisement.
|
|
|
#2 |
|
Forum Member
Join Date: Mar 2007
Location: Preston, Lancashire
Posts: 7,255
|
It's not really a security vulnerability especially as there is a handy option to turn Siri off if the pass code lock is set in the pass code lock settings. Possibly the only issue is that this option probably should default to off though I'm sure that may come in iOS 5.0.1
Plus I can't say I'm too worried about someone trying to put something in my calendar or write a note if they get hold of my phone |
|
|
|
|
#3 |
|
Forum Member
Join Date: Apr 2003
Location: Coventry
Posts: 3,007
|
Quote:
Plus I can't say I'm too worried about someone trying to put something in my calendar or write a note if they get hold of my phone
|
|
|
|
|
|
#4 |
|
Forum Member
Join Date: Mar 2011
Location: Hertfordshire
Posts: 2,938
|
There's an option to disable Siri when the phone is passcode locked, so what's the problem?
Surely it would only be a security concern if you couldn't turn it off when the phone is passcode locked? But, as you can turn it off in that situation I don't see a problem. |
|
|
|
|
|
#5 |
|
Inactive Member
Join Date: Jan 2003
Posts: 43,524
|
Quote:
There's an option to disable Siri when the phone is passcode locked, so what's the problem?
Surely it would only be a security concern if you couldn't turn it off when the phone is passcode locked? But, as you can turn it off in that situation I don't see a problem. as in that mitigating it requires someone to read about it on a forum like this and then make a judgement as to whether they want to disable it on security grounds rather than allow it on functionality grounds. generally you start with all the security features enabled and allow the user to make an informed choice about disabling them. I'm sure this will be changed though. |
|
|
|
|
|
#6 |
|
Forum Member
Join Date: Apr 2003
Location: Coventry
Posts: 3,007
|
Quote:
There's an option to disable Siri when the phone is passcode locked, so what's the problem?
Surely it would only be a security concern if you couldn't turn it off when the phone is passcode locked? But, as you can turn it off in that situation I don't see a problem. How many users would change it from the default setting - none probably unless they were made aware of it, hence the reason for me starting this thread |
|
|
|
|
|
#7 |
|
Forum Member
Join Date: Mar 2009
Posts: 14,577
|
OP you need to use the right terminology, it's NOT a security vulnerability. There is an option to turn on or off a pin, would you say having it turned off means there is a security vulnerability in IOS? of course not.
It's something the user should be aware of, but it's absolutely not a security vulnerability. |
|
|
|
|
|
#8 |
|
Forum Member
Join Date: Mar 2007
Location: Preston, Lancashire
Posts: 7,255
|
Quote:
I would say that being able to send SMS and emails from a locked phone is quite a big vulnerability, especially for corporate users. It defeats the purpose of locking the phone!
Edit didn't read all replies to this thread before beginning this reply so missed Thine Wonk making the exact same point |
|
|
|
|
#9 |
|
Forum Member
Join Date: May 2002
Location: Crystal Palace TX
Posts: 19,702
|
There's a few bugs which Apple need to address urgently in iOS 5. Apparently you can bypass the lock screen on the iPad 2 by deft handling of the magnetic smart cover.
|
|
|
|
|
#10 |
|
Forum Member
Join Date: Aug 2009
Posts: 7,918
|
I can see how the OP can class it as a security flaw. However I think its just a cock up...a pretty major one at that. Mainly because the vast majority of apple users wont mess around with the settings. However it is something that can easily be fixed with an update.
|
|
|
|
|
|
#11 |
|
Forum Member
Join Date: Apr 2005
Posts: 13,091
|
Remember that passcode lock is not enabled by default. To switch it on, you have to go to the very screen that contains the other options relating to passcode lock, presumably including the Siri option.
|
|
|
|
|
|
#12 |
|
Forum Member
Join Date: Jan 2011
Location: Dundee, Scotland
Posts: 9,293
|
Quote:
As I and others have mentioned the ability to use Siri from a locked phone can very easily be turned off so it's not a security vulnerability but a feature. You'll be claiming the fact that pass code lock is not enabled by default is a security vulnerability next
Edit didn't read all replies to this thread before beginning this reply so missed Thine Wonk making the exact same point |
|
|
|
|
|
#13 |
|
Forum Member
Join Date: Dec 2001
Location: West London
Posts: 24,319
|
If this vulnerability can only be exploited by someone stealing your phone, shouldn't stopping people stealing phones be the priority?
|
|
|
|
|
|
#14 |
|
Inactive Member
Join Date: Jan 2003
Posts: 43,524
|
Quote:
If this vulnerability can only be exploited by someone stealing your phone, shouldn't stopping people stealing phones be the priority?
|
|
|
|
|
|
#15 |
|
Forum Member
Join Date: Mar 2009
Posts: 14,577
|
IETF RFC 2828 define vulnerability as:
A flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy Seeing as the pin on the phone is optional, and seeing as the option to enable siri on the lockscreen or not, I would consider this NOT to be a security vulnerability. It is an optional security feature which can be enabled if the user is concerned about simple physical unauthorised access. The feature can be enabled or disabled to reflect the level of security the user requires. There is no weakness in the design or implementation, the features can clearly be turned on or off and by default are off. I don't bother with a pin on my phone because I keep it in my pocket and never leave it on a desk and walk away. Other people I know at work leave their phones on their desks and then go off to meetings, leaving their colleagues to silence it when it rings etc, annoying!!! |
|
|
|
|
|
#16 |
|
Inactive Member
Join Date: Jan 2003
Posts: 43,524
|
Quote:
IETF RFC 2828 define vulnerability as:
A flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy Seeing as the pin on the phone is optional, and seeing as the option to enable siri on the lockscreen or not, I would consider this NOT to be a security vulnerability. It is an optional security feature which can be enabled if the user is concerned about simple physical unauthorised access. The feature can be enabled or disabled to reflect the level of security the user requires. There is no weakness in the design or implementation, the features can clearly be turned on or off and by default are off. I don't bother with a pin on my phone because I keep it in my pocket and never leave it on a desk and walk away. Other people I know at work leave their phones on their desks and then go off to meetings, leaving their colleagues to silence it when it rings etc, annoying!!! and that would be wrong. the obvious thing to do in all these cases is to enable the security feature by default and allow the informed user to turn it off if they wish. you could even prompt the user.... |
|
|
|
|
|
#17 |
|
Forum Member
Join Date: May 2006
Posts: 25,199
|
How does this work? Can somebody next to me tell that electronic woman in the phone to do something, like send an email to my boss saying he's an anchor or is some validation necessary?
|
|
|
|
|
|
#18 |
|
Forum Member
Join Date: Apr 2005
Posts: 13,091
|
Quote:
that is a somewhat contrived explanation. if windows shipped with DEP, ASLR, firewall, UAC and driver signing all switched off by default you could equally well apply your arguments and definitions to that not being a vulnerability, it's a security feature that is not implemented by default.
and that would be wrong. the obvious thing to do in all these cases is to enable the security feature by default and allow the informed user to turn it off if they wish. you could even prompt the user.... Quote:
How does this work? Can somebody next to me tell that electronic woman in the phone to do something, like send an email to my boss saying he's an anchor or is some validation necessary?
![]() To explain in slightly more detail though, the passcode lock feature is not enabled by default. To enable it, you have to go into a screen which also has options for whether Siri (voice control on older phones) will be available whilst the screen is locked. The default position is on. This isn't new with the 4S, but of course Siri allows you to control much more of the phone than the old voice control did. |
|
|
|
|
|
#19 |
|
Forum Member
Join Date: Mar 2009
Posts: 14,577
|
Quote:
A reasonable point, but your logic seems to suggest that you would want passcode lock enabled by default.
|
|
|
|
|
|
#20 |
|
Forum Member
Join Date: Oct 2003
Location: the wild world web
Posts: 28,132
|
I thought it only goes to the last used APP which says it's a bug.
Not quite intuitive. |
|
|
|
|
|
#21 |
|
Forum Member
Join Date: Mar 2007
Location: Preston, Lancashire
Posts: 7,255
|
Quote:
I thought it only goes to the last used APP which says it's a bug.
Not quite intuitive. |
|
|
|
|
#22 |
|
Forum Member
Join Date: May 2002
Location: Crystal Palace TX
Posts: 19,702
|
Quote:
Think that's the smart cover glitch on iPad 2
http://9to5mac.com/2011/10/20/anyone...o-your-ipad-2/ |
|
|
|
|
#23 |
|
Forum Member
Join Date: Mar 2005
Posts: 2,849
|
Default security settings? Erm no.
Firstly, Siri isn't enabled by default. Secondly, Siri won't appear on the password lock sceen unless you enable it. |
|
|
|
|
|
#24 |
|
Inactive Member
Join Date: Jan 2003
Posts: 43,524
|
Quote:
Exactly, a passcode lock is something that doesn't come on Android by default, and that a lot of people don't want. It's not a security vulnerability not to have it on, it's an optional feature, as is Siri commands on the lock screen.
the issue is that if someone enables pin it should not be beholden to them to riddle that siri will enable a bypass. i simple on screen prompt or changing of the default options would be fine. |
|
|
|
|
|
#25 |
|
Forum Member
Join Date: Jul 2000
Location: UK
Posts: 3,000
|
Quote:
Default security settings? Erm no.
Firstly, Siri isn't enabled by default. Secondly, Siri won't appear on the password lock sceen unless you enable it. Thirdly iOS doesn't have a passcode lock enabled by default either. |
|
|
|
![]() |
|
|
All times are GMT. The time now is 11:16.



