Bad Siri! She'll let anyone use a locked iPhone 4S
But security firm Sophos says there's a simple fix--just change the default Siri setting in Passcode Lock.
The voice-activated feature on the new iPhone 4S will let anyone use the phone to send e-mails and text messages and make calls even if it is passcode locked, Macworld has reported.
Try it. Grab a friend's locked iPhone 4S, press the button and ask Siri to do something. I was able to send a text message, make a call and send an e-mail, all without knowing my friend's passcode. Another colleague confirmed that she could get an address and a phone number out of the phone and even see the calendar.
There is an easy fix for this situation, which was reported on by Macworld on Friday, followed by security firm Sophos today. In the Passcode Lock settings, switch Siri to "Off" (see below). This lets you continue to use the feature once your iPhone is unlocked, but keeps users from accessing these features when security is enabled.
To be clear, the phone is still locked in the sense that someone can't just grab it and make calls to any phone number by dialing. The users Siri lets in aren't able to launch apps, either. We also weren't able to send an e-mail to an address that wasn't in the contact list or to find other data for people who weren't already in the contact list.
To some this might seem like old news. Similar capabilities were available by default with the Voice Control feature, which was introduced with the iPhone 3GS in 2009. But it appears on first glance that Siri allows you to do more with a locked iPhone than Voice Control does.
In my limited sampling, iPhone 4S owners seem to be shocked to learn about this default Siri setting, so chances are that many people didn't know about the Voice Control default setting either.
It's pretty surprising that Apple has the default set to be able to use Siri without unlocking the device.
"What's disappointing to me though is that Apple had a clear choice here," Sophos' Graham Cluley writes in a blog post. "They could have chosen to implement Siri securely, but instead they decided to default to a mode which is more about impressing your buddies than securing your calendar and email system."
Apple representatives did not immediately respond to e-mails and a phone call seeking comment.
(CNET's Sharon Vaknin and Josh Lowensohn contributed to this report.)
Updated 1:11 p.m. PT with previous report from Macworld