Israeli researcher Dany Lisiansky uncovered the flaw, and made a video to demonstrate a way to take a victim’s locked iPhone running iOS 7.02, and access their call history, voicemails and entire list of contacts.
Cult of Mac described how to replicate the behaviour:
1. Call another device you have nearby from a locked iPhone using Siri or voice control
2. Tap the FaceTime button
3. When the FaceTime app appears, hit the sleep/wake button
4. Unlock the iPhone again
5. Answer the call on the other device, then immediately end it
6. After a few seconds, you’ll be taken to the Phone app.
It’s easy to imagine how this vulnerability could be exploited by a business rival or a jealous romantic partner.
The starting point of all this, of course, is that iOS 7 allows you to make a voice-activated phone call using Siri, even if your phone is locked. Great for ease-of-use if you’re driving a car and trying to make a phone call at the same time, bad for security.
Fortunately, it’s simple to block this particular vulnerability by disallowing Siri to control your locked iPhone.
Go into the Settings app, choose General | Passcode.
At this point you should have to enter your passcode. You *do* have a passcode, don’t you?
Now scroll down, and you will probably find that Apple has allowed Siri access to your iPhone, even when it’s locked.
If you’re worried that this could be used against you – disable it.
Apple, don’t you think it’s about time you realised that “Locked” should mean “really locked, yes including locked from voice control”?
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.