Siri’s Flaw: Apple’s Personal Assistant Leaks Personal Data

Siri for iOS devices has made everyday tasks easier; whether it is getting directions to the nearest gas station or staying in contact with growing social media networks. iOS users can just call out a contact’s name and the device will populate with a telephone number and email address. However, convenience comes with a price: personal information.

What if I told you that it takes only 30 seconds on a friend’s Siri-enabled iOS device for anyone to access your full name, email, number, and even your photo regardless if that phone is locked or not? Concerned?

A potential opening for abuse in Siri-equipped iOS mobile devices allows anyone to use voice recognition to access data on a device, even with a passcode. Ideally, a passcode should prevent unauthorized access to any information stored on a mobile device, much like a password does on a computer. A locked device should not disclose the owner’s identity and contact information, as well those of the owner’s friends, family, and contacts. Siri bypasses this and provides detailed information and other functions on a locked mobile device.

There are several threads on Apple support forums about this ever since Siri was introduced. However, we wanted to highlight the security and privacy risks and bring these to the attention of our readers.

What Can Siri Do?

Once anyone has physical access to your device, they can use voice recognition to call out a number of commands, including those that give access to names, numbers, calendar entries, and more. Here is a list of the commands that work on a locked iOS mobile device, with Siri enabled:

“what’s my name” — Displays and verbalizes the first and last name assigned to phone’s “My Info” selection under Siri settings.
“text name/number <message>” – Sends a text with the message to the contact Name or number you specify
“call name/number” – Calls the contact Name or number you specify
“post Facebook status <message>” – Posts the message to the phone’s authenticated Facebook account
“what’s my location” – Shows map and verbalizes current location
“<first name>” – Shows full contact details from Contacts that match the name spoken
“what’s my email address” — Displays and verbalizes the email address assigned to “My Info” selection under Siri settings
“wake me up at 3AM tomorrow” – Enables an alarm for the specified time
“cancel my alarm at 3AM” – Disables an alarm for the specified time
“create event/reminder/entry/appointment for <date/time>” – Creates a calendar entry
“show me <date/timeframe> schedule” – Displays the calendar entries for the dates or timeframes specified
“remove event/reminder/entry/appoint from calendar on <date/time>” – Removes the calendar entry for the specified date and time

Here’s are sample scenarios showing how a user can use Siri commands to gain information and perform other actions:

Figures 1-4. Various Siri commands

Privacy Implications

The possibilities and ramifications are nearly limitless if potential attackers were to use the above commands on a locked iOS mobile device. Many of these commands impact an owner’s privacy as well as those of the owner’s contacts.

Ideally for the mobile device owners, voice commands could be used by law enforcement or first responders to locate the identity of an injured person and even contact a family member, using a command such as, “Call mom”. However, these commands could also be used by a malicious individual to cause harm in a friendship or relationship by a posting a Facebook status such as “now single and not looking” or “Text boyfriend …”.

Even non-iOS users may be at risk. Tens of millions of iOS mobile devices have been sold around the world. A large portion of the world’s population has at least a friend, family member, or colleague that does own an iOS mobile device with Siri enabled. As such, their contact details can be accessed on a locked screen, also putting their privacy at risk.

What Can You Do

Siri needs additional protection in order to safeguard personal information on iOS mobile devices from potential abuse. These include vocal identity recognition, or requiring user authentication in order to text, call, post to Facebook, set/cancel an alarm, or view a contact’s personal details. However, until the creators of Siri put in steps to prevent such abuse while locked, we recommend that iOS users be wary of who handles their Siri-enabled devices, and turn the personal assistant off as needed.

We have reached out to Apple for their comment on this issue, and they responded by stating that for users to protect themselves against the above scenarios, they need to disable Siri on the lock screen. This can be done through the Settings menu, and accessing Touch ID & Passcode > Siri. From there, the personal assistant can be disabled if the device itself is locked.