Siri lets anyone use a locked iPhone 4S
cbsnews.com > It's pretty surprising that Apple has the default
> set to be able to use Siri without unlocking the device.
I just knew that if the first you hear of something like this is from the mainstream press, then it's just a few less-than-bright friends of a journalist made the same setting change.
I saw a breathless, panicked post on some forum the other day where a guy thought he'd found a huge security flaw in iOS5- it seems if you double-click the home button and load the camera, and then press the home button, it goes straight to the home screen, bypassing the lock screen!
People variously could and could not replicate it, until someone finally mentioned that the lock screen only shows if it's been locked for more than a (user-configurable) length of time.
So when people who never use the lock screen went to turn on the lock screen and immediately test it out, shockingly they didn't have to enter a PIN!
While Siri is turned off by default, it appears that Siri-while-locked might be turned on by default once Siri is enabled. I wouldn't enable it in the first place if I had seen it, so it was news to me when I saw that it was turned on when I went to change my passcode the other day.
If it's enabled in that manner by default and lets you bypass the lock screen, then there's a serious problem.
The phone iPhone passcode thing is kind of a joke, unfortunately -- it's fairly easy to extract the encrypted image from a locked phone, then brute force it. Since almost everyone just uses a 4-digit simple PIN, doing an exhaustive search is faster than syncing to iTunes.
What I'd really like is TPM-type security built into the phone (and used correctly) to protect from brute forcing a short authentication code, and maybe multi-factor auth. e.g. if the phone is inside my house or office (was on my secured wifi, hasn't moved), there can be less security (longer relock interval, shorter passcode, etc.) than if I am out and about. If there were a way to definitively link my phone to my car, I'd be fine with turning off all passcodes -- maybe due to bluetooth pairing or something.
Biometrics might actually make sense in phones, too, although I'm not sure how much I like the facial recognition in ice cream sandwich.
You're allowed to use a password instead of a 4 digit passcode if you want.
Biometrics are evil. If someone wants what's in your phone that bad, you don't want them cutting off your thumb to get it.
I do, but typing in a long passphrase every single time you unlock your phone kind of sucks; if I had a 4 digit passcode I might set a shorter relock interval.
I'm not so afraid of someone's stealing my phone, then coming back and cutting off my thumb. If I were using the phone, it'd be easier to come up at gunpoint and grab the phone while it's unlocked, if you're that paranoid (one of the reasons highly sensitive data isn't unlocked "in the wild" in sensitive organizations).
Simple theft or losing the phone is still the most likely, and a biometric+PIN, securely stored on device, solves this.
High-end luxury cars have great engine immobilizer systems, which led to a lot of carjackings, since it was easier than unattended theft, which is basically the problem you've identified.
There are LOTS of other issues with biometrics, but they mainly come up when they're part of a centralized service and can't be completely controlled by the user.
Without severely paranoid steps being taken, if someone has your physical device they are going to be be able to gain access to the files on that device. This isn't hard math to do.
If you don't select the option to block Siri without entering a passcode, then you can use Siri without entering a passcode.
Shocking.
It's that the option is enabled by default if you have Siri active. It's not obvious, and frankly, should be fixed.
It's reasonably obvious. The option appears on the screen you get as soon as you choose your passcode.
> It's reasonably obvious.
You know what else is reasonably obvious? Those checkboxes saying "Yes, I want to also subscribe to this other site for an addition 29.95", pre-checked on the final checkout screen.
It's not reasonably obvious that after turning the passcode on, that it effectively doesn't secure anything, and it's irresponsible to think that way.
There are a grand total of 6 fields on that screen. One of those fields is prominantly labelled as "Siri". It's not like it's being hidden in small print.
Yes, of course I want Siri secure as well. That's why Siri's button is turned on, to enable security. On a page where you are turning on security.
So switch it to "On" then.
> In a default setting, Siri let's [sic] a complete stranger see
> your calendar on your passcode locked iPhone 4S, as well as get
> contact information, make a call and send texts and e-mails.
I think the point of the passcode lock is so that if someone does steal your phone, they won't be able to get any of your personal information from it (provided they're not tech savvy enough to do a relatively easy brute force).
The entire story could have just been the last screenshot and its caption.
Full of sound and fury, signifying nothing.
Siri would be pretty annoying and useless if it required unlocking the phone to use it. If it's actually a bug, I sure hope they don't fix it, or at least make the "correct" behavior optional.
There's a flag in settings to allow/disallow siri while locked.
I believe the flag is actually set in the same place you enable locking of the phone.
Shouldn't you be able to "tell" Siri a passphrase to unlock?
Agree that require unlocking is silly, but the whole point of locking is missing.
> Shouldn't you be able to "tell" Siri a passphrase to unlock?
No, because that would encourage people to vocalize their passphrases.
"...unless you tell it not to." So misleading.
I also found that if you have iOS5 on an iPhone 4, the new camera button allows you to access apps and what-not without unlocking the phone - though it thinks its locked.
Double click the home button to get the camera icon, go to camera and press home button and you can access all apps.
But if you try to go to the photo gallery, the phone tells you its locked and wont go there.
Incorrect. That only works if the device doesn't require a passcode to get past the homescreen.
Yes, I thought that might be the case - and I createda passcode after I typed this and this is true -- however it still does not allow you to access photos through the process I described. It shows you a locked screen.
Right, it only lets you see photos you've taken from the lock screen, so no personal data is exposed.