iOS 7 flaw bypasses lock screen, lets anyone access your contact list

Security issues with iOS 7 seem to be popping up everywhere. Last week, we reported that iOS 7 suffered from a bug which left email attachments unencrypted -- and while Apple has prepared a fix for the issue, a new one has appeared in its place.

According to Egyptian neurosurgeon and part-time security researcher Sherif Hashim, a flaw in iOS 7's Siri voice assistant allows anyone to bypass the iPhone lock screen and access the contact list. In a video posted on his YouTube channel, Hashim detailed the method of attack.

Using an iPhone 5S, Hashim tries and fails to sign in with the TouchID fingerprint scanner. Then, he activates Siri and accesses the phone's contact list by saying "contacts." Siri responds that he needs to unlock the phone first, but Hahim quickly hits cancel and instructs Siri to call a contact. This brings up the phone's entire contact list, which allows Hashim to view and call anyone on the list.

Apple will hopefully release a patch in the coming days, but what can you do until then? First, keep your phone on a tight leash. The flaw is only accessible if someone else gains physical access to the phone, which means no remote attacks. Additionally, Hashim recommends that users disable Siri on the lock screen. This can be done by going to 'settings', 'passcode' and tapping the option to disable Siri while the screen is locked, thus ensuring that your phone is safe, sound, and invulnerable to Siri's contact list flaw.

You can watch Hashim uncover the security flaw below:

Source: NBC NewsImage via Apple

Report a problem with article
Previous Story

Surface mini mockups turn rumors into visual delight

Next Story

Samsung replaces its head of mobile design

44 Comments

Commenting is disabled on this article.

This looks fake...

I've tried this one two iPhones and it doesn't seem to work.

You'll notice that at 0:52 he holds his finger to the scanner right before he says "Call." Because Siri is active there is no onscreen notification that the phone is unlocked, but it does seem to unlock.

I've tried this "fake" method on my phone and it does being up the contact list - because it's unlocked!

That's another magical solution from Apple I guess and everyone gives them a pass. If it was Microsoft's Cortana however, CNN would have it non-stop as a Breaking News headline

vhaakmat said,
That's another magical solution from Apple I guess and everyone gives them a pass. If it was Microsoft's Cortana however, CNN would have it non-stop as a Breaking News headline

Sad but true.

I followed the same steps in the video multiple times and can't reproduce the issue. I have an iPhone 5s running the latest iOS version. :/

More bugs: To disable Siri from the Lock Screen, you must actually have Siri ENABLED in the General Settings. If you disable Siri altogether in General Settings, it will actually enable Siri on the Lock Screen.

Doesn't work on my 5s.
When you quickly say call a contact it, Siri says who would you like to ring.

No list of contacts is shown. Maybe they fixed it remotely already

What always amazes me is how people find this stuff out - I've seen some of the previous work arounds to bypass the lock screen and it's like cheat codes for old console games! Up, down, up down, left, right, left, right, B A. I guess I'm in the percentage of users who.. just use their phones :|

Let's be grateful these type of people exist though. It's how things get fixed that could be otherwise exploited by bad guys. :)

.Neo said,
Let's be grateful these type of people exist though. It's how things get fixed that could be otherwise exploited by bad guys. :)

True :)

Haha! I wonder if Kareem is getting lots of anonymous calls now that his number is in this video.

You'd think they would have learnt by now and made sure that no lock screen hacks would be possible. I've lost count of how many times flaws have been discovered in the lock screen!

This happens the same with Cortana. You have to go into Cortana settings and uncheck the box 'Allow speech above lock' from the speech settings. I hope Microsoft takes this as example and fix this when they release WP8.1 with Cortana.

Cortana does not have the issue demoed above you can only call a contact that you might know that in their contact list. you cannot nor have access to their complete contact list like what shown in the video. apple has poor security this has been happening for several releases of ios.

Yep. You are right. Cortana only calsl a specific contact.

Juan Rodriguez said,
Cortana does not have the issue demoed above you can only call a contact that you might know that in their contact list. you cannot nor have access to their complete contact list like what shown in the video. apple has poor security this has been happening for several releases of ios.

Huh. Doesn't work for me. I think you need a specific set of contacts (In the video's case, Hashim had a bunch of "A" contacts).

When I try it, Siri says "I can't find ___ in your address book. Should I look for locations by that name?"

If I try a name I have in my address book (even when I have several contacts with the same name), it just picks one of them and starts a call.

Raa said,
Windows 95 had security? :laugh:

I remember the username/password screen. *cancel*

To be fair, that wasn't really to protect the computer, rather, that was for network access IIRC. Windows 98 had some user security when you setup multiple users on the computer, so that trick no longer worked.

Ideas Man said,

Windows 98 had some user security when you setup multiple users on the computer, so that trick no longer worked.

Yes, you're quite right. Too bad that was defeated by booting into safe mode. :laugh:

Ideas Man said,

To be fair, that wasn't really to protect the computer, rather, that was for network access IIRC. Windows 98 had some user security when you setup multiple users on the computer, so that trick no longer worked.


Wut, click the help button on the login screen in Windows 98, Click file -> Open and BOOM, logged in.

I said some. There are plenty of ways around the login screen in Windows 7 too, though it's not quite as easy as that.

Windows 98 never had a proper security platform built into it like NT did with NTFS and DACLs, so really, all security was mostly an illusion, but somewhat strong enough to stop the average user.

virtorio said,
Oh iOS and security. It's cute how they try, but they've got a ways to go.
I wish Windows Phone got this kind of scrutiny from security researchers. It leads to a safer, nore secure platform in the long run. As-is, WP seems mostly irrelevant to them :(

Chikairo said,
I wish Windows Phone got this kind of scrutiny from security researchers. It leads to a safer, nore secure platform in the long run. As-is, WP seems mostly irrelevant to them :(

It does. But they have nothing to report. Visit the XDA community. Efforts have been underway to hack into Windows Phone for awhile. With the exception of one or two non-Nokia phones and one specialized hardware attack on the 520 they've all failed.

rr_dRock said,

"77%
of Android threats could be largely eliminated today if all Android devices had the latest OS.
Which means 21% (92*0.23) of all malware also works for updated Android devices, and if you eliminate outdated Android versions, 73% (21/(21+8)) of all malware for updated devices exists for Android.

That's still pretty bad... And that's assuming all malware for other OS's also works on their updated counterparts.

It's a bit higher, but still not horrendous. When you have any open platform, thats as bungled as Android, you're going to have exploits coming out of the wazoo.

What I'd like to know, is how many of those are targeted at manufactures addins, as opposed to the actual OS. IE: Touchwiz exploits, custom contacts exploits, etc.

rr_dRock said,

I like how you left out the next stat on the page

"77%
of Android threats could be largely eliminated today if all Android devices had the latest OS. %4 do. "


The keyword here being "IF". In that hypothetical world 77% of Android threats may be eliminated but in the real word, they're not.

God! Please!!! What do people expect?! You enable Siri on the lock screen!!! Just turn it off, problem solved! Geez. What is the point of enabling Siri on the lock screen if you cannot do anything with it? You enable it, you deal with the trade off. As simple as that.

Whilst I agree that Siri is useless on the lock screen (personally I think most of Siri's features are gimmicks over functionality, but that's another issue :p) what is the point of Siri on the lock screen anyway? You have to physically tap the home button to open her so hands free doesn't count!

That being said, one should expect that using the device within the parameters set out by the manufacturer the phone should operate in a secure manner.

I use Siri on the lock screen in two way, the first is when im driving, i have bluetooth in my car, i press and hold the home button and ask siri to read messages and dictate messages, i would call people however the car downloads my address book so thats not needed.

When im walking around say in london or other cities with headphones i use siri for different kinds of things, messaging as per my car above, but also info such as weather, time, navigation, various information. I use this through the headphones as it first makes it a little more secure not flashing a phone around and second convenience, instead of unlocking and tapping out the message blindly walking into people i can just say it instead, same for the other information.

REM2000 said,
I use Siri on the lock screen in two way..

Fair enough, in my use I've never used any of the voice dictation features as a daily activity on any phone (truthfully I've not used Cortana so this is only Google Now/Siri comparison)

Occasionally I've used Google Now to pull up results but even then its only been when I've been by myself. In my use of both platforms Siri had more options but Google Now was more utilitarian and at the end of the day I would be more likely to use GN's features. That being said, that's in my use, which of course doesn't mean its the way *everyone* should use ;) . When I'm driving all simply say "Ok google" and off I go (I barely even bother trying to be honest) I've found turning on Siri a pain.

I think the biggest problem with both systems for me is their abysmal recognition for the NZ/Australian accent. With both Siri and Google Now recognising "Auckland" as Oakland (California).. You'd think some basic reasoning would eliminate such results right.. I mean, I'm in Auckland New Zealand, searching for restaurants nearby Auckland.. why would I care about the USA? That's been fixed on both platforms now but in a blind test I activated Siri and GN to search for "Penguins" - Pinworms was the result :(