We reported this morning on the fact that when you set up a passcode on your iPhone, Siri ignores it and remains active by default.Here’s what a total stranger can do with Siri on your supposedly locked phone:
- Delete or change your calendar events
- Find out where someone will be based on his calendar
- Send a text message to anyone in your contacts
- Send an email to anyone in your contacts
- Look up any information about anyone in your contacts — your parents’ address, your girlfriend’s phone number (we were able to find one coworker’s father’s social security number)
- Change defined relationships — TiPb shows that a prankster could easily instruct Siri to call you “Dumb arse”
- Set and change alarms and reminders
- Call anyone in your contacts
This is a big deal because it’s a security flaw by design. When you “lock” your phone with a passcode, it sets the reasonable expectation that it should only function for those who can properly unlock it. But Siri’s default setting is to ignore this. It’s not until you change the setting that Siri falls into line with the idea of a locked phone.
We know that at least a little thought was put into how Siri works on a locked phone — you can’t access past emails or text messages, for example — but its immediate functionality is still right there for anyone to take advantage.
Convenience is the enemy of security, and it seems you’ll have to choose between the two.
We reached out to Apple PR for a comment and they didn’t respond.