A security flaw in the latest version of iOS 7 for the iPhone can be used to gain access to a phone’s contacts and their phone numbers without entering a PIN or password.
Using Siri, a potential thief or prankster can call up anyone listed in the phone book of a locked iPhone - simply by asking Siri, the device’s voice-activated personal assistant, which can be summoned from the lockscreen, even if a passcode is required to unlock the handset.
Discovered, and demonstrated in the video below, by Egyption neurosurgeon and part-time security researcher Sherif Hashim, the trick is made possible by asking Siri to “call” but not giving a contact name.
The system then gives the option to type out a contact to find them. Type ‘call a’ and all contacts with names starting with the letter a will be listed. Tap ‘other’ and the entire contacts list is displayed, where you can call anyone you like - and this is all without entering the phone’s PIN or password.
Thankfully, access to Siri from the lock screen can be disabled in the phone’s Settings app, but this will be annoying for those who depend on the feature while driving, or while their hands are otherwise busy.
Security expert Graham Cluley explains: “There are plenty of people who probably *want* to be able to give commands to Siri while their device is locked.
“For instance, perhaps they are making calls while driving, or have a sleeping baby in their arms, which makes it tricky for them to enter a passcode. I accept, that could be a nuisance, but isn’t it time that Apple understood that when a phone is ‘locked,’ users expect it to be really, properly *locked*?”
The problem affects the current version of iOS, 7.1.1, and Apple is yet to issue a fix.