Siri lets anyone use a locked iPhone 4S (opens in new tab)

(cbsnews.com)

32 pointssspencer14y ago28 comments

28 comments

    > It's pretty surprising that Apple has the default
    > set to be able to use Siri without unlocking the device.

Siri is turned off by default, so this is actually a pretty misleading thing to say.

tobylane14y ago

I just knew that if the first you hear of something like this is from the mainstream press, then it's just a few less-than-bright friends of a journalist made the same setting change.

evan_14y ago

I saw a breathless, panicked post on some forum the other day where a guy thought he'd found a huge security flaw in iOS5- it seems if you double-click the home button and load the camera, and then press the home button, it goes straight to the home screen, bypassing the lock screen!

People variously could and could not replicate it, until someone finally mentioned that the lock screen only shows if it's been locked for more than a (user-configurable) length of time.

So when people who never use the lock screen went to turn on the lock screen and immediately test it out, shockingly they didn't have to enter a PIN!

silencio14y ago

While Siri is turned off by default, it appears that Siri-while-locked might be turned on by default once Siri is enabled. I wouldn't enable it in the first place if I had seen it, so it was news to me when I saw that it was turned on when I went to change my passcode the other day.

If it's enabled in that manner by default and lets you bypass the lock screen, then there's a serious problem.

rdl14y ago

The phone iPhone passcode thing is kind of a joke, unfortunately -- it's fairly easy to extract the encrypted image from a locked phone, then brute force it. Since almost everyone just uses a 4-digit simple PIN, doing an exhaustive search is faster than syncing to iTunes.

What I'd really like is TPM-type security built into the phone (and used correctly) to protect from brute forcing a short authentication code, and maybe multi-factor auth. e.g. if the phone is inside my house or office (was on my secured wifi, hasn't moved), there can be less security (longer relock interval, shorter passcode, etc.) than if I am out and about. If there were a way to definitively link my phone to my car, I'd be fine with turning off all passcodes -- maybe due to bluetooth pairing or something.

Biometrics might actually make sense in phones, too, although I'm not sure how much I like the facial recognition in ice cream sandwich.

gte910h14y ago

You're allowed to use a password instead of a 4 digit passcode if you want.

Biometrics are evil. If someone wants what's in your phone that bad, you don't want them cutting off your thumb to get it.

rdl14y ago

I do, but typing in a long passphrase every single time you unlock your phone kind of sucks; if I had a 4 digit passcode I might set a shorter relock interval.

I'm not so afraid of someone's stealing my phone, then coming back and cutting off my thumb. If I were using the phone, it'd be easier to come up at gunpoint and grab the phone while it's unlocked, if you're that paranoid (one of the reasons highly sensitive data isn't unlocked "in the wild" in sensitive organizations).

Simple theft or losing the phone is still the most likely, and a biometric+PIN, securely stored on device, solves this.

High-end luxury cars have great engine immobilizer systems, which led to a lot of carjackings, since it was easier than unattended theft, which is basically the problem you've identified.

There are LOTS of other issues with biometrics, but they mainly come up when they're part of a centralized service and can't be completely controlled by the user.

cschep14y ago

Without severely paranoid steps being taken, if someone has your physical device they are going to be be able to gain access to the files on that device. This isn't hard math to do.

prof_hobart14y ago

If you don't select the option to block Siri without entering a passcode, then you can use Siri without entering a passcode.

Shocking.

jasonlotito14y ago

It's that the option is enabled by default if you have Siri active. It's not obvious, and frankly, should be fixed.

prof_hobart14y ago

It's reasonably obvious. The option appears on the screen you get as soon as you choose your passcode.

1 more reply

biot14y ago

  > In a default setting, Siri let's [sic] a complete stranger see
  > your calendar on your passcode locked iPhone 4S, as well as get
  > contact information, make a call and send texts and e-mails.

A complete stranger could also steal your phone. Solution: don't leave your phone accessible to complete strangers.

baddox14y ago

I think the point of the passcode lock is so that if someone does steal your phone, they won't be able to get any of your personal information from it (provided they're not tech savvy enough to do a relatively easy brute force).

mmuro14y ago

The entire story could have just been the last screenshot and its caption.

Full of sound and fury, signifying nothing.

cmer14y ago

Siri would be pretty annoying and useless if it required unlocking the phone to use it. If it's actually a bug, I sure hope they don't fix it, or at least make the "correct" behavior optional.

cschneid14y ago

There's a flag in settings to allow/disallow siri while locked.

qx24b14y ago

I believe the flag is actually set in the same place you enable locking of the phone.

seppo001014y ago

Shouldn't you be able to "tell" Siri a passphrase to unlock?

Agree that require unlocking is silly, but the whole point of locking is missing.

Lexarius14y ago

> Shouldn't you be able to "tell" Siri a passphrase to unlock?

No, because that would encourage people to vocalize their passphrases.

mikeash14y ago

"...unless you tell it not to." So misleading.

samstave14y ago

I also found that if you have iOS5 on an iPhone 4, the new camera button allows you to access apps and what-not without unlocking the phone - though it thinks its locked.

Double click the home button to get the camera icon, go to camera and press home button and you can access all apps.

But if you try to go to the photo gallery, the phone tells you its locked and wont go there.

ddagradi14y ago

Incorrect. That only works if the device doesn't require a passcode to get past the homescreen.

samstave14y ago

Yes, I thought that might be the case - and I createda passcode after I typed this and this is true -- however it still does not allow you to access photos through the process I described. It shows you a locked screen.

1 more reply

j / k navigate · click thread line to collapse

28 comments

evan_14y ago

    > It's pretty surprising that Apple has the default
    > set to be able to use Siri without unlocking the device.

Siri is turned off by default, so this is actually a pretty misleading thing to say.

tobylane14y ago

I just knew that if the first you hear of something like this is from the mainstream press, then it's just a few less-than-bright friends of a journalist made the same setting change.

evan_14y ago

People variously could and could not replicate it, until someone finally mentioned that the lock screen only shows if it's been locked for more than a (user-configurable) length of time.

So when people who never use the lock screen went to turn on the lock screen and immediately test it out, shockingly they didn't have to enter a PIN!

silencio14y ago

If it's enabled in that manner by default and lets you bypass the lock screen, then there's a serious problem.

rdl14y ago

Biometrics might actually make sense in phones, too, although I'm not sure how much I like the facial recognition in ice cream sandwich.

gte910h14y ago

You're allowed to use a password instead of a 4 digit passcode if you want.

Biometrics are evil. If someone wants what's in your phone that bad, you don't want them cutting off your thumb to get it.

rdl14y ago

I do, but typing in a long passphrase every single time you unlock your phone kind of sucks; if I had a 4 digit passcode I might set a shorter relock interval.

Simple theft or losing the phone is still the most likely, and a biometric+PIN, securely stored on device, solves this.

High-end luxury cars have great engine immobilizer systems, which led to a lot of carjackings, since it was easier than unattended theft, which is basically the problem you've identified.

There are LOTS of other issues with biometrics, but they mainly come up when they're part of a centralized service and can't be completely controlled by the user.

cschep14y ago

Without severely paranoid steps being taken, if someone has your physical device they are going to be be able to gain access to the files on that device. This isn't hard math to do.

prof_hobart14y ago

If you don't select the option to block Siri without entering a passcode, then you can use Siri without entering a passcode.

Shocking.

jasonlotito14y ago

It's that the option is enabled by default if you have Siri active. It's not obvious, and frankly, should be fixed.

prof_hobart14y ago

It's reasonably obvious. The option appears on the screen you get as soon as you choose your passcode.

1 more reply

biot14y ago

  > In a default setting, Siri let's [sic] a complete stranger see
  > your calendar on your passcode locked iPhone 4S, as well as get
  > contact information, make a call and send texts and e-mails.

A complete stranger could also steal your phone. Solution: don't leave your phone accessible to complete strangers.

baddox14y ago

mmuro14y ago

The entire story could have just been the last screenshot and its caption.

Full of sound and fury, signifying nothing.

cmer14y ago

Siri would be pretty annoying and useless if it required unlocking the phone to use it. If it's actually a bug, I sure hope they don't fix it, or at least make the "correct" behavior optional.

cschneid14y ago

There's a flag in settings to allow/disallow siri while locked.

qx24b14y ago

I believe the flag is actually set in the same place you enable locking of the phone.

seppo001014y ago

Shouldn't you be able to "tell" Siri a passphrase to unlock?

Agree that require unlocking is silly, but the whole point of locking is missing.

Lexarius14y ago

> Shouldn't you be able to "tell" Siri a passphrase to unlock?

No, because that would encourage people to vocalize their passphrases.

mikeash14y ago

"...unless you tell it not to." So misleading.

samstave14y ago

I also found that if you have iOS5 on an iPhone 4, the new camera button allows you to access apps and what-not without unlocking the phone - though it thinks its locked.

Double click the home button to get the camera icon, go to camera and press home button and you can access all apps.

But if you try to go to the photo gallery, the phone tells you its locked and wont go there.

ddagradi14y ago

Incorrect. That only works if the device doesn't require a passcode to get past the homescreen.

samstave14y ago

1 more reply

j / k navigate · click thread line to collapse