• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Mobile   »   Siri’s Flaw: Apple’s Personal Assistant Leaks Personal Data

Siri’s Flaw: Apple’s Personal Assistant Leaks Personal Data

  • Posted on:November 18, 2015 at 1:05 am
  • Posted in:Mobile, Social
  • Author:
    Trend Micro Forward-Looking Threat Research Team
4

Siri for iOS devices has made everyday tasks easier; whether it is getting directions to the nearest gas station or staying in contact with growing social media networks. iOS users can just call out a contact’s name and the device will populate with a telephone number and email address. However, convenience comes with a price: personal information.

What if I told you that it takes only 30 seconds on a friend’s Siri-enabled iOS device for anyone to access your full name, email, number, and even your photo regardless if that phone is locked or not? Concerned?

A potential opening for abuse in Siri-equipped iOS mobile devices allows anyone to use voice recognition to access data on a device, even with a passcode. Ideally, a passcode should prevent unauthorized access to any information stored on a mobile device, much like a password does on a computer. A locked device should not disclose the owner’s identity and contact information, as well those of the owner’s friends, family, and contacts. Siri bypasses this and provides detailed information and other functions on a locked mobile device.

There are several threads on Apple support forums about this ever since Siri was introduced. However, we wanted to highlight the security and privacy risks and bring these to the attention of our readers.

What Can Siri Do?

Once anyone has physical access to your device, they can use voice recognition to call out a number of commands, including those that give access to names, numbers, calendar entries, and more. Here is a list of the commands that work on a locked iOS mobile device, with Siri enabled:

  • “what’s my name” — Displays and verbalizes the first and last name assigned to phone’s “My Info” selection under Siri settings.
  • “text name/number <message>” – Sends a text with the message to the contact Name or number you specify
  • “call name/number” – Calls the contact Name or number you specify
  • “post Facebook status <message>” – Posts the message to the phone’s authenticated Facebook account
  • “what’s my location” – Shows map and verbalizes current location
  • “<first name>” – Shows full contact details from Contacts that match the name spoken
  • “what’s my email address” — Displays and verbalizes the email address assigned to “My Info” selection under Siri settings
  • “wake me up at 3AM tomorrow” – Enables an alarm for the specified time
  • “cancel my alarm at 3AM” – Disables an alarm for the specified time
  • “create event/reminder/entry/appointment for <date/time>” – Creates a calendar entry
  • “show me <date/timeframe> schedule” – Displays the calendar entries for the dates or timeframes specified
  • “remove event/reminder/entry/appoint from calendar on <date/time>” – Removes the calendar entry for the specified date and time

Here’s are sample scenarios showing how a user can use Siri commands to gain information and perform other actions:

Figures 1-4. Various Siri commands

Privacy Implications

The possibilities and ramifications are nearly limitless if potential attackers were to use the above commands on a locked iOS mobile device. Many of these commands impact an owner’s privacy as well as those of the owner’s contacts.

Ideally for the mobile device owners, voice commands could be used by law enforcement or first responders to locate the identity of an injured person and even contact a family member, using a command such as, “Call mom”. However, these commands could also be used by a malicious individual to cause harm in a friendship or relationship by a posting a Facebook status such as “now single and not looking” or “Text boyfriend …”.

Even non-iOS users may be at risk. Tens of millions of iOS mobile devices have been sold around the world. A large portion of the world’s population has at least a friend, family member, or colleague that does own an iOS mobile device with Siri enabled. As such, their contact details can be accessed on a locked screen, also putting their privacy at risk.

What Can You Do

Siri needs additional protection in order to safeguard personal information on iOS mobile devices from potential abuse. These include vocal identity recognition, or requiring user authentication in order to text, call, post to Facebook, set/cancel an alarm, or view a contact’s personal details. We recommend that iOS users be wary of who handles their Siri-enabled devices, and turn the personal assistant off as needed.

We have reached out to Apple for their comment on this issue, and they responded by stating that for users to protect themselves against the above scenarios, they need to disable Siri on the lock screen. This can be done through the Settings menu, and accessing Touch ID & Passcode > Siri. From there, the personal assistant can be disabled if the device itself is locked.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: Appledata leakiOSSiri

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.