So Siri to disturb you – but we may have a security problem

20 Oct 2011

The iPhone 4S

Apple’s new ‘Siri’ voice-activated personal assistant in the new iPhone 4S is believed to have a security hole that leaves the smartphones partially unguarded, Sophos has revealed.

“Even if an iPhone 4S is locked with a passcode, a complete stranger can come up to your smartphone, press the button and give Siri a spoken command,” warned Sophos blogger Graham Cluley.

“I borrowed a passcode-locked iPhone 4S from a colleague here at Sophos and, with his permission, was able to write an email, and send a text message. If I had wanted to I could have meddled with his calendar appointments, too.

“All without having to enter the passcode. I’m sure you can imagine some of the ways this could potentially be abused.”

How to secure Siri

Cluley pointed out that there’s an easy way for security-conscious users to disable Siri when their phone is locked.

“Enter ‘Settings/General/Passcode Lock’ on your iPhone 4S, and make sure that the ‘Siri’ option is set to ‘Off’.

“That way Siri cannot be used when the smartphone is locked with a passcode. Which seems the sensible option to me in most circumstances.”

Cluley said Apple had an opportunity to avoid the problem. “They could have chosen to implement Siri securely, but instead they decided to default to a mode, which is more about impressing your buddies than securing your calendar and email system.

“It’s not as though Siri impressed me enormously, anyway, during my brief play with it. Thirty per cent of the time it misinterpreted what I was trying to say,” Cluley said.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years