We were all pretty impressed by the Siri exploit a few college freshmen laid out, with their “man in the middle” exploit giving voice control to just about anything via the iPhone. A new hack has some concerned, and potentially offers up your contacts to someone who may have use of your phone, even when locked, allowing them to send messages on your behalf.
The flaw occurs when a locked iPhone is given the simple command of “call”. Siri, confused, asks who you want to call. By editing the text up top, Siri opens up your contacts to that letter or number you designate. She also gives a side door into the rest of your “People”.
You can see the full exploit in the video below, and it’s a bit troubling. We tried this on an iPhone 5S, and were able to replicate it. Interestingly enough, when we tried it with an iPhone that didn’t have a lock screen passcode, the utility changed. Siri acted differently about contacts, and didn’t allow a side door into the contacts as she did with a passcode locked device.
The simplest way around this is to eliminate Siri from your lock screen. There may be an incoming patch for this, but don’t hold your breath. This is likely meant to help you when you’re using Siri via the lock screen, as it still requires a would-be hacker to have your device, but it’s troubling nonetheless.