Graham Cluley, senior technology consultant at Sophos is signaling that Siri, the personal assistant in iOS 5, has been implemented with default settings that leaves phones vulnerable.
Mr. Cluley, with whom I’ve had the pleasure to discuss Mac security issues on several occasions, reveals in a new blog entry that “Even if an iPhone 4S is locked with a passcode, a complete stranger can come up to your smartphone, press the button and give Siri a spoken command.”
To offer an example, the security expert borrowed an iPhone 4S from a colleague and ran tasks using Siri that he otherwise couldn’t have done without knowing the password. Mr Cluley explains:
“I borrowed a passcode-locked iPhone 4S from a colleague here at Sophos and, with his permission, was able to write an email, and send a text message. If I had wanted to I could have meddled with his calendar appointments too.”
“All without having to enter the passcode. I'm sure you can imagine some of the ways this could potentially be abused,” Cluley blogs.
The security researcher admits that, although Siri may pose some security concerns, the feature can be turned off from the iOS Settings menu.
“Fortunately there's an easy way for security-conscious users to disable Siri when their phone is locked,” he writes.
To turn off Siri, you must access Settings -> General -> Passcode Lock on your iPhone 4S, and make sure that the "Siri" option is set to OFF.
But Cluley is still disappointed with Apple. Why? Because of the way Siri’s default settings were implemented:
“What's disappointing to me though is that Apple had a clear choice here. They could have chosen to implement Siri securely, but instead they decided to default to a mode which is more about impressing your buddies than securing your calendar and email system,” says Cluley.