A security flaw on the iPhone 6S and 6S Plus has recently been discovered that allows unauthorized access to the phone via Siri and Twitter.
Security researcher Jose Rodriguez discovered that pretty much anyone can bypass the lockscreen and access personal information without having to know the passcode. An attacker can just ask Siri (who is by default available anytime, locked phone or not), and ask her to search Twitter for an email address. Once she returns one—it doesn’t matter which one it is—the infiltrator can create a new contact or add to an existing new contact using that address. And that means the bad guy can browse all contacts on the phone.
And, if the contacts app has permission to access the iPhone’s photo library (users can assign photos to contacts or import them from Facebook), the attacker can also browse photos by adding a photo to a new or existing contact.
The threat is easily mitigated by turning Siri off for the lockscreen (which can be done by clicking “General” in settings, then “Passcode” (“Touch ID and Passcode” for 5S users), and then sliding “Siri” to the off position).
David Kennerley, senior manager for threat research at Webroot, said via email that the situation highlights once again that a single layer of identity access simply isn’t enough.
“Ease of use and functionality is often prioritized over security and this is a huge problem for the industry,” he said. “Instead of innovations such as fingerprint scanners being added to increase security through two-factor authentication (2FA), we are seeing them replace passwords because it is easier for the user. Users should be taking all steps possible to secure their device, especially given the sensitive information they now hold. This includes securitizing whether an application really needs permission to other areas of the phone, backing up files and using secure passwords or 2FA where possible.”
Photo © Oleg GawriloFF/Shutterstock.com