iOS 9.3.1 Flaw Allows Access To Contacts & Photos From Lock Screen, Protect Your Device Now
Anyone who regularly uses Siri, and who also happens to be semi-conscious of device security and protecting their data, will be acutely aware of a number of historical reports that claim to highlight ways in which Siri can be used to bypass security on an iOS device. Fortunately, most of those methods have turned out to be entirely bogus and contain no basis in reality when investigated. Unfortunately, the latest Siri exploit to hit the public domain is actually genuine, and can be used to gain access to contacts and photos stored on an otherwise secure iPhone.
Before we all start throwing our devices up in the air and panicking, it’s worth pointing out that while this vulnerability in Siri certainly does exist, it’s also extremely specific and really isn’t something that the average person would simply stumble across to gain access to a device’s data. In addition to that, it’s also entirely preventable, meaning that there is something very explicit that device owners can do within the device settings to ensure that any would-be intruder who is aware of this trick can’t use it to their advantage.
While the YouTuber who has demonstrated the access method on one of Apple’s iOS devices has tested it in Spanish language, it has been verified that this method of intrusion and violating device privacy via Siri does actually work on a device that has American English set as its main language as well. The exploit works by asking Siri to search Twitter from the lock screen of the device. The malicious individual then accesses a Twitter bio which could contain actionable Contacts data, and then uses 3D Touch to bring up the Quick Actions contextual menu, choosing the “Add to Existing Contact” option, opening up a list of all contacts on the device. It’s that requirement of 3D Touch which means this particular exploit will only work on the iPhone 6s and iPhone 6s Plus right now running iOS 9 and above.
As if that wasn’t reason enough to show concern, you can further drill down and get access to all of the photos saved on the device also if the Contacts app has earlier been permitted to access the Photos app. It has also been revealed that the same loophole also applies to WhatsApp search results for friends via Siri.
This however, is applicable only in cases where a user has allowed Siri to integrate Twitter into its searches. This is precisely why you can also avoid this situation. If you want to entirely disable the ability for anyone to gain this type of access via Siri, then you can simply turn off Siri’s ability to access certain apps. As an example, if Siri has been used previously to search Twitter, then you can head over to Settings > Privacy > Twitter, and make sure the Siri toggle is switched to the Off position.
Additionally, to prevent Siri from accessing your photos, head over to Settings > Privacy > Photos and uncheck Siri.
Check out the exploit in action on iOS 9.3.1 in the video embedded below: