14 DAY TRIAL // Now that iOS7 is out, security researchers from all over the world are taking a crack at it. Experts from Cenzic have uncovered a vulnerability in Siri that can be leveraged by hackers to gain control of iPhones even if they’re locked.
Cenzic researchers Abhishek Rahirikar and Michael Yue have found a way to make phone calls, send messages and emails using the device owner’s identity, view call history, view certain contacts, gain access to personal information, make posts on Twitter and Facebook, and retrieve addresses saved in Apple Maps.
Hackers can perform all these tasks by leveraging a vulnerability in Siri, the intelligent personal assistant feature installed on iPhones. Furthermore, some of the functions can be performed on devices running iOS 6.
“This vulnerability indicates that there is a thin line between security and convenience. Functionality like calling phone numbers, sending messages and sending emails, even if the phone is locked, can be debated as security over convenience but there is no setting that can control this if Siri is enabled,” Tyler Rorabaugh, VP of Engineering at Cenzic, noted.
The expert says users can mitigate the attacks only by completely disabling SIRI. Of course, the hack is only possible if the attacker has physical access to the device. That’s why iPhone owners are recommended never to hand over their devices to untrusted individuals.
“Cenzic also calls on Apple to look into these vulnerabilities and remediate them as soon as possible. A patch is sorely needed, not only in iOS7 but in older versions. On a broader scale, Cenzic encourages all enterprises to do careful scanning of all new applications introduced to the organization, particularly mobile applications, which have frequently been found to be vulnerable to attack,” Rorabaugh added.
Here is the proof-of-concept video published by Cenzic researchers:
