Bad Siri! She'll let anyone use a locked iPhone 4S

But security firm Sophos says there's a simple fix--just change the default Siri setting in Passcode Lock.

In a default setting, Siri let's a complete stranger see your calendar on your passcode locked iPhone 4S, as well as get contact information, make a call and send texts and e-mails.
In a default setting, Siri let's a complete stranger see the calendar on your passcode locked iPhone 4S, as well as get contact information, make a call and send texts and e-mails. Sharon Vaknin/CNET

The voice-activated feature on the new iPhone 4S will let anyone use the phone to send e-mails and text messages and make calls even if it is passcode locked, Macworld has reported.

Try it. Grab a friend's locked iPhone 4S, press the button and ask Siri to do something. I was able to send a text message, make a call and send an e-mail, all without knowing my friend's passcode. Another colleague confirmed that she could get an address and a phone number out of the phone and even see the calendar.

There is an easy fix for this situation, which was reported on by Macworld on Friday, followed by security firm Sophos today. In the Passcode Lock settings, switch Siri to "Off" (see below). This lets you continue to use the feature once your iPhone is unlocked, but keeps users from accessing these features when security is enabled.

To be clear, the phone is still locked in the sense that someone can't just grab it and make calls to any phone number by dialing. The users Siri lets in aren't able to launch apps, either. We also weren't able to send an e-mail to an address that wasn't in the contact list or to find other data for people who weren't already in the contact list.

To disable Siri unless the device is unlocked, you turn Siri "Off" in the Passcode Lock settings.
To disable Siri so it can't be used unless the device is unlocked, you turn Siri "Off" in the Passcode Lock settings. Sophos

To some this might seem like old news. Similar capabilities were available by default with the Voice Control feature, which was introduced with the iPhone 3GS in 2009. But it appears on first glance that Siri allows you to do more with a locked iPhone than Voice Control does.

In my limited sampling, iPhone 4S owners seem to be shocked to learn about this default Siri setting, so chances are that many people didn't know about the Voice Control default setting either.

It's pretty surprising that Apple has the default set to be able to use Siri without unlocking the device.

"What's disappointing to me though is that Apple had a clear choice here," Sophos' Graham Cluley writes in a blog post. "They could have chosen to implement Siri securely, but instead they decided to default to a mode which is more about impressing your buddies than securing your calendar and email system."

Apple representatives did not immediately respond to e-mails and a phone call seeking comment.

(CNET's Sharon Vaknin and Josh Lowensohn contributed to this report.)

Updated 1:11 p.m. PT with previous report from Macworld

Play
 

Join the discussion

Conversation powered by Livefyre

Show Comments Hide Comments
Latest Galleries from CNET
Tech industry's high-flying 2014
Uber's tumultuous ups and downs in 2014 (pictures)
The best and worst quotes of 2014 (pictures)
A roomy range from LG (pictures)
This plain GE range has all of the essentials (pictures)
Sony's 'Interview' heard 'round the world (pictures)