HardOCP News
[H] News
- Joined
- Dec 31, 1969
- Messages
- 0
Want to send e-mails and texts on a passcode locked iPhone 4S? Just use Siri. Wow, this has to be embarrassing. 
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Apple's Siri Let's Anyone Use A Locked iPhone 4S
- Thread starter HardOCP News
- Start date
DeathPrincess
Fully [H]
- Joined
- May 15, 2010
- Messages
- 18,205
Well it is called ass...
If I recall, they had the exact same problem in the past with being able to access a locked iPhone easy. Something about going into the "emergency dial" and backing out allowed you access to most of the phones featured.
Apple sux at security, be sure!
Apple sux at security, be sure!
GoodBoy
2[H]4U
- Joined
- Nov 29, 2004
- Messages
- 2,746
This must be a false story because everyone knows Apple products are never hacked, and are the most secure on the Planet.
Really? This seems like a bit more hype than substance from Sophos...
True: The default configuration of Siri does let you use the feature without entering your unlock code first.
However, as noted in the article, you are able to turn this off easily via the Settings app (then you'd have to unlock the device first before you'd be able to use Siri). The argument of the article is that it should be the other way around (off by default). I think that different people might come to a different conclusion on this, though. Personally, I'd say that Apple made the right call. Why?
1. Siri would be far less useful with the "more secure" mode Cluley is suggesting should be enabled. One of the main benefits of the hands-free mode is that it is, you know, essentially hands free. You don't need to look at the phone's screen to use it. If you had to unlock the phone first, you'd need to use the screen (unless Siri could be made to ask you to speak the password first, but I don't think they are able to pull that off, the AI gets confused when you read it a string of ambiguous numbers and letters password-style).
2. My phone is never far out of my reach, and is basically always in my pocket or on my nightstand when I'm sleeping. If I lost it, I'd remote lock and/or wipe it (especially now that it backs itself up every night automatically). You'd essentially need to break into my bedroom ninja-style at night and steal my phone right next to my sleeping body to pull this off. Even if I didn't catch you, my dog almost certainly would. I don't think I'm alone. Most smartphone users I know keep their phones closer than they do their wallets.
3. Even if you did manage to swipe my phone ninja-style, what Siri allows you to do is actually fairly limited. Yes, you could move my calendar appointments around, or find out what I have coming up on my calendar that day. And you could set reminders that would annoy me. Fun parlor tricks for the spiting of one's enemies, sure, but not really all that serious for most people. Worse... You could send my contacts a text message or email, masquerading as me. But you can't have it read you my email. You can't have it read you a text message unless one has recently come in (Siri will only read new text messages, not old ones). You can't move my calendar appointments around unless you know something already about when the existing appointments are happening. Would I rather this not happen? Sure! But is that risk worth having to enter a passcode every time I wanted to use the feature, fumbling in my car? No way.
4. If you don't like this, you can turn it off.
So.... To me, there is really nothing to see here.
True: The default configuration of Siri does let you use the feature without entering your unlock code first.
However, as noted in the article, you are able to turn this off easily via the Settings app (then you'd have to unlock the device first before you'd be able to use Siri). The argument of the article is that it should be the other way around (off by default). I think that different people might come to a different conclusion on this, though. Personally, I'd say that Apple made the right call. Why?
1. Siri would be far less useful with the "more secure" mode Cluley is suggesting should be enabled. One of the main benefits of the hands-free mode is that it is, you know, essentially hands free. You don't need to look at the phone's screen to use it. If you had to unlock the phone first, you'd need to use the screen (unless Siri could be made to ask you to speak the password first, but I don't think they are able to pull that off, the AI gets confused when you read it a string of ambiguous numbers and letters password-style).
2. My phone is never far out of my reach, and is basically always in my pocket or on my nightstand when I'm sleeping. If I lost it, I'd remote lock and/or wipe it (especially now that it backs itself up every night automatically). You'd essentially need to break into my bedroom ninja-style at night and steal my phone right next to my sleeping body to pull this off. Even if I didn't catch you, my dog almost certainly would. I don't think I'm alone. Most smartphone users I know keep their phones closer than they do their wallets.
3. Even if you did manage to swipe my phone ninja-style, what Siri allows you to do is actually fairly limited. Yes, you could move my calendar appointments around, or find out what I have coming up on my calendar that day. And you could set reminders that would annoy me. Fun parlor tricks for the spiting of one's enemies, sure, but not really all that serious for most people. Worse... You could send my contacts a text message or email, masquerading as me. But you can't have it read you my email. You can't have it read you a text message unless one has recently come in (Siri will only read new text messages, not old ones). You can't move my calendar appointments around unless you know something already about when the existing appointments are happening. Would I rather this not happen? Sure! But is that risk worth having to enter a passcode every time I wanted to use the feature, fumbling in my car? No way.
4. If you don't like this, you can turn it off.
So.... To me, there is really nothing to see here.
If it bothers you, you can EASILY disable Siri while the phone is locked. I just wish there was a prompt when enbaling Siri rather than defaulting to this access being allowed.
Scroll down for screenshot: http://news.cnet.com/8301-1009_3-20122632-83/bad-siri-shell-let-anyone-use-a-locked-iphone-4s/
Scroll down for screenshot: http://news.cnet.com/8301-1009_3-20122632-83/bad-siri-shell-let-anyone-use-a-locked-iphone-4s/
bakerzdosen
n00b
- Joined
- Jun 18, 2008
- Messages
- 9
+1
Yeah, it's good to know, but it's not exactly a huge security hole.
Of course, I don't put a password on my phone anyway, so I'm sure I'm just a huge security leak waiting to happen as well...
PS. The headline-baiting of this article is terrible, but unfortunately, all-too-expected for anything Apple-related on HardOCP. From reading the HardOCP summary, I immediately assumed that there was some hack you could use to completely bypass the lock via Siri. When I read the article, I realized... Oh, no. It is working as designed, and this guy at Sophos doesn't like it. That's a far cry from "Wow, this has to be embarrassing."
By the way, there are limits to what Siri can do when the phone is locked, above and beyond what you can "normally" do with Siri. For example, you can't use Siri to search the web with the phone locked. Any time it needs to "exit Siri" and open an app, it makes you unlock the phone.
I actually think quite a few of Siri's "limitations" are because of this exact issue. The feature would be far less useful if you had to unlock the phone first to use it. Making that trade-off is not very "Apple". So instead of making that the default, Apple limited what you'd be able to "get away with" on a locked-but-siri-active device.
Again, if you don't like it, there is a happy more secure option right there waiting for you.
meh.
By the way, there are limits to what Siri can do when the phone is locked, above and beyond what you can "normally" do with Siri. For example, you can't use Siri to search the web with the phone locked. Any time it needs to "exit Siri" and open an app, it makes you unlock the phone.
I actually think quite a few of Siri's "limitations" are because of this exact issue. The feature would be far less useful if you had to unlock the phone first to use it. Making that trade-off is not very "Apple". So instead of making that the default, Apple limited what you'd be able to "get away with" on a locked-but-siri-active device.
Again, if you don't like it, there is a happy more secure option right there waiting for you.
meh.
Valshistixol
[H]ard|Gawd
- Joined
- Mar 25, 2011
- Messages
- 1,809
lol Another security flaw the fanboys will try to spin as a feature.
faugusztin
2[H]4U
- Joined
- Mar 9, 2008
- Messages
- 2,668
This is exactly how it should be implemented, period. There are no if's - if you have a password or code, Siri has to ask for it. If it doesn't, it is a security risk.
purple_haze
2[H]4U
- Joined
- Oct 14, 2004
- Messages
- 2,124
it can be easily disabled. It is enabled for convenience. Author is fail!
How is it a security flaw when its working as intended? Did you not read any of the other posts on how to enable/disable Siri when the phone is locked?
Team Obi Juan
Your Local Postmaster
- Joined
- Sep 28, 2005
- Messages
- 23,276
The title of this article is about as disingenuous as saying "Android allows anyone to do anything on any phone", and then demoing a phone that has its password lock disabled.
lmao
I agree.
+1 Internets to glynor.
This isn't an Apple fanboy issue, this is an "Apple made a choice on default behavior" issue, one that can be easily rectified if you're concerned.
Team Obi Juan
Your Local Postmaster
- Joined
- Sep 28, 2005
- Messages
- 23,276
Wait, this thread is not going as planned. Will someone please bash Steve Jobs?
While its true that most people that visit this forum do lock there devices nice and tight, put trackers on them, never let it out of there sight, and sleep with there phones locked in there gun safe at night, what about the rest of the 3,999,900 people who have the iPhone 4S? You know, the people who think the moment they pit a pin lock on there phone, its locked? The people who dont go into every setting of every program? The socker moms? The teens? The rest of the 99% of the planet who are phone stupid? Basically Apple is setting them up for an epic fail or some really good pranking, and whats sad is, that 99% is Apples TARGET customer. So basically they are fucking there target customers.
Then again, Apple not giving two shits about there customer other then there money is not big news to anyone.
Then again, Apple not giving two shits about there customer other then there money is not big news to anyone.
SilverSliver
[H]F Junkie
- Joined
- Feb 23, 2004
- Messages
- 12,523
Security settings should be higher by default, and toggled down if needed or wanted. Reason being, most people are stupid.
Team Obi Juan
Your Local Postmaster
- Joined
- Sep 28, 2005
- Messages
- 23,276
Most smartphones are not even passworded by default.
THATS THE REASON! Why are you appleheads crying foul? It should be OFF by default for security reasons...... now, most users who buy an iphone don't fiddle with settings, lets be real... they just "use the phone because its the easiest phonez evur!" --- this is like router companies leaving wireless security open by default, and now we have millions of open networks ready to be abused at any given moment by anyone 75 feet from your house.
This is a big security risk if you ask me.... android is left open and the USER KNOWS ITS NOT SAFE. This apple thing siri (copy of android app vLingo) is going to give the user a sense of security, but unbeknownst to them, they are not safe (clearly as proven here). I would expect apple to release a fix for this ASAP, or else yeah, its a bad loophole to get into untechy peoples' phones.
Of course, this setting can be disabled. However, I'm sure this setting should have been disabled be default. I'm always under the impression that the default security settings should always be as restrictive as possible and then loosening it as needed.
That's just me though.
That's just me though.
I do like the fact that you can do some things with the phone locked and siri on, but not everything (like can't do locations). Email, calendar, messaging etc should also be restricted. I agree that it should default to the most secure, but the best solution in this case would be giving an option to assign a voice password of some type or voice authentication to perform any command while locked.
QFT. Well said..... someone here gets it
+2!
If MS did this, people would be having a hay day bashing it... but because it's apple... well, apparently the "author is a fool". Wow. Really? That just proves the point is valid when you go straight to personal attacks.
Computational Science and Application Development 101
Question #56.
When designing an application, which of the following must always be considered?
A) The user is very stupid.
B) The user just wants to break your application and will do so if given the option.
C) The user will not do what he is supposed to unless you force him or do it for him.
D) All of the above.
Um...I pick D.
You're right Bobby!
Sweet! hire me Apple!
Seriously Apple? I like you, but what the fuck was that?
The default security setting is set on the lower end?!?
Terrible developers, or terrible managers. Either one...
Question #56.
When designing an application, which of the following must always be considered?
A) The user is very stupid.
B) The user just wants to break your application and will do so if given the option.
C) The user will not do what he is supposed to unless you force him or do it for him.
D) All of the above.
Um...I pick D.
You're right Bobby!
Sweet! hire me Apple!
Seriously Apple? I like you, but what the fuck was that?
The default security setting is set on the lower end?!?
Terrible developers, or terrible managers. Either one...
mynamehere
[H]ard|Gawd
- Joined
- Jun 30, 2007
- Messages
- 1,763
My thoughts exactly. I see so many unsecured wifi routers it's ridiculous. I sometimes wonder how some ever managed to change the SSID. As for iStuff users. I know several who are relatively computer illiterate (some very), yet they use iStuff, and wouldn't know how to change a setting to save their lives, let alone lock down security. At the very least I think programs like this, as well as devices should demand a password be set before being useable, after than they can make the option to unsecure it available.
Solidstate89
Gawd
- Joined
- Oct 23, 2010
- Messages
- 551
Don't worry guys, this isn't a bug, it's a feature! You just aren't privy to the proper Apple reality distortion field that makes you realize that this is truly something you want on your device.
D
Deleted member 109755
Guest
Why is this news? Clearly it's not an oversight in design aspect. They already give you the option to turn it off, while passcode locked. <facepalm>
ScottSwing
Gawd
- Joined
- Jun 9, 2010
- Messages
- 590
This.
I have to agree with Sophos that Siri should be disabled during lock screen by default, and it is a security risk.
I know several older people who know nothing at all about thier iphone, or how to use it... hell they needed me to add email accounts to it. They won't know how to disable this new feature, which means they are at risk.
I know several older people who know nothing at all about thier iphone, or how to use it... hell they needed me to add email accounts to it. They won't know how to disable this new feature, which means they are at risk.
Team Obi Juan
Your Local Postmaster
- Joined
- Sep 28, 2005
- Messages
- 23,276
Look at you people, bonding together with concern for iphone users.
For most people who don't bother locking down security, they likely won't have relationships loaded in their address book, either. Siri understands "mom", "dad", "wife", "brother", "son", but only if you have those relationships defined in your address book entries. I didn't have my sister tagged as "sister", and tried "send a text message to my sister," it said it didn't know who my sister is.
It's absolutely an oversight and a flaw. Intentional or not, it's fucking broken. If I go and tell me phone to be more secure, and it leaves the front door wide open *by default* that is simple wrong.
Of course none of this is surprising, Apple sucks balls at security. It's not something flashy or marketable or revolutionary, so they don't bother.
Meanwhile Android gets things like full disk encryption. If you want a secure mobile OS, you don't go iOS.
Yeah. Until this important shit hits CNN or Fox News, they probably won't even notice (nor will 99% of its clueless users because they haven't seen this news yet)
This is like hitting the LOCK button on your car remote, only to have it beep and not actually lock.... so you THINK its locked, but it really isn't! Why are you apple sheepheads not cluing in on this? ITS BAD, and if this happened on android I would be caling it bullshit also! get over yourselves... wow, nothing is tricky with the headline at all. It's 100% fact that siri enables people to use your new 4Sucker phone.... and apple should fix it, IMHO, if they want a "secure OS" so the "apple genius" assumes and tells its clients whom buy this UNSECURE phone.