When it comes to information and communication technology, the more convenient, the better. Users want to have a plethora of features available to them at the touch of a screen – or better yet, with a quick vocal command.
Digital personal assistants have significantly improved the mobile user experience by allowing people to make phone calls, send text messages, run a bevy or applications, update social media and so much more simply by speaking into a microphone. In this case, however, the ease-of-access that makes this uncanny functionality possible may also be precipitating privacy issues.
An unusual workaround
Upon the release of Apple’s iOS 9 in summer 2015, tech pundits and fanboys alike dove in for a closer look at the new and exciting features. What some of them found, however, were glaring security management flaws that could allow an unauthorized user to access certain private information.
According to BGR, YouTube user “videosdebarraquito” contacted them to bring an unusual authentication workaround to their attention that involved clever manipulation of Siri. The first step is to gain physical access to a mobile device running iOS 9. Enter an incorrect PIN four times, and on the fifth attempt, only enter three. While typing in the fourth number, hold down the home button, and you will be granted access to Apple’s clock via Siri. From here, the “+” key will make it possible to run a search, from which iMessage, contacts and photos are all accessible.
For one thing, this cyber security flaw makes it possible to snoop on other people’s phones, which is a huge privacy concern in and of itself. More frightening yet is the fact that this private information can be used to orchestrate further cyber attacks, or worse, give real-world criminals information that can be used to identify a person’s whereabouts.
Trend Micro identifies an even bigger problem
Despite Apple’s ongoing best efforts to create ironclad cyber security for its users, another interesting passcode override was announced in November 2015 by Trend Micro. Researchers found that Siri is defaulted to continue working on passcode-protected iOS 9 devices. This means that the personal assistant can still access certain information and applications even when an Apple smartphone or tablet is locked down.
Below is a list of sample questions from Trend Micro that will provide personal information even if a mobile device is password protected:
- “what’s my name”
- “text name/number message”
- “call name/number”
- “post Facebook status message”
- “first name”
- “what’s my email address”
- “show me date/timeframe schedule”
- “remove event/reminder/entry/appoint from calendar on date/time”
There are several other voice commands that can be used to interact with certain applications and obtain other information, but the above examples represent some of the more precarious possibilities. Calls can be made, messages can be sent, social media accounts can be hijacked, and email addresses, contacts and other personal information can be exposed. Unlike the previously discovered, more complicated workaround, there is very little know-how involved in this one. Simply hold down the button that activates Siri and speak into the microphone – ask and you shall receive.
How to protect against it
The repercussions of unauthorized access to mobile devices are hard to predict, and really depend on how far a hacker wants to run with the ball. Trend Micro notes, for example, that an unauthorized user can leverage the override as ammunition in personal matters, such as snooping through an ex’s phone, or trying to cause emotional damage to someone. Alternatively, the ability to access certain other information can backfire in other ways. Access to appointments, for instance, makes it easy to figure out where a person will be at a given date and time. Another possibility is that a hacker can obtain certain information, such as passwords to accounts, social security numbers, or other information through tactical manipulation of contacts. Any of these scenarios can pose serious risks to an end user’s well bring, and that defeats the purpose of the convenience provided by the digital personal assistant in the first place.
The most immediate solution to this problem is to disable access to Siri on the lock screen in settings, under Touch ID & Passcode. This makes it impossible to use Siri via the lock screen. Looking ahead, Trend Micro notes that biometric-based authentication such as voice recognition may improve security for Siri and other digital personal assistants. For example, if the phone recognizes the voice of the user, Siri will be able to provide all and any requested information.
For now, Trend Micro Mobile Security solutions can further secure user data from unexpected mobile threats.