Yet another iPhone lockscreen vulnerability. This time in iOS 7.02 [VIDEO]

SiriiOS 7.02 only came out a few days ago, with the promise of fixing the various bugs that researchers have found in the new version of Apple's mobile operating system, and I'm sad to report that yet another lockscreen vulnerability has been found.

Israeli researcher Dany Lisiansky uncovered the flaw, and made a video to demonstrate a way to take a victim's locked iPhone running iOS 7.02, and access their call history, voicemails and entire list of contacts.

Cult of Mac described how to replicate the behaviour:

1. Call another device you have nearby from a locked iPhone using Siri or voice control
2. Tap the FaceTime button
3. When the FaceTime app appears, hit the sleep/wake button
4. Unlock the iPhone again
5. Answer the call on the other device, then immediately end it
6. After a few seconds, you’ll be taken to the Phone app.

It's easy to imagine how this vulnerability could be exploited by a business rival or a jealous romantic partner.

The starting point of all this, of course, is that iOS 7 allows you to make a voice-activated phone call using Siri, even if your phone is locked. Great for ease-of-use if you're driving a car and trying to make a phone call at the same time, bad for security.

Fortunately, it's simple to block this particular vulnerability by disallowing Siri to control your locked iPhone.

Go into the Settings app, choose General | Passcode.

At this point you should have to enter your passcode. You *do* have a passcode, don't you?

Now scroll down, and you will probably find that Apple has allowed Siri access to your iPhone, even when it's locked.

iOS settings

If you're worried that this could be used against you - disable it.

Apple, don't you think it's about time you realised that "Locked" should mean "really locked, yes including locked from voice control"?

Tags: , , , , , , , ,

Subscribe to the free GCHQ newsletter

, , , , , , , ,

Special offers & deals

  • Sticky Password Premium: Lifetime Subscription

    Sticky Password Premium: Lifetime Subscription

    Sticky Password protects your online identity by providing strong encrypted passwords for all your accounts, managed by a single master password known by you, and only you. Available for Mac, Windows, iOS, and Android. For a limited time, it's 80% off in our store.
  • IT Security & White Hat Hacking: CompTIA & Cisco Certifications

    IT Security & White Hat Hacking: CompTIA & Cisco Certifications

    Whether you're a beginner or mid-level professional, you'll want to take this comprehensive online course, to help you attain two industry-recognised certifications. You'll master mobile hacking, VPN technologies, penetration testing, and much more--giving you the knowledge you need to succeed in any IT workplace.

More deals...

Leave a reply

4 Comments on "Yet another iPhone lockscreen vulnerability. This time in iOS 7.02 [VIDEO]"

Notify of

Sort by:   newest | oldest | most voted
Jon Fukumoto
Jon Fukumoto
September 30, 2013 8:48 pm

Another one? I don't have Facetime on my iPhone anyway, since it's a 3GS. For those of you with iPhone 4, iPhone 5, iPhone 5S or 5C should disable Facetime and Siri via the Restrictions and use a STRONG PASSWORD, and not the simple 4 digit passcode until it's patched.

Detlev Rackow
Detlev Rackow
October 2, 2013 8:45 am

For enterprises, there is a workaround for this one:

The standard MDM-functionality in iOS allows administrators to disable Siri on locked devices. Since vulnerabilities around Siri on locked phones turned up regularly, we have disabled this since about a year ago – permanently.

Mike Smith
Mike Smith
October 3, 2013 10:11 am

I am not a techie and am having a nightmare following the upgrade to 7.01 never mind 7.02 which I have been asked to do….I loved the phone and am now considering buying elsewhere…..I cannot believe Jobs would have allowed this 5s to be sold in this state.

October 5, 2013 1:45 am

He's dead – how would he have any control over this?