Siri and 3D Touch combine for this contacts- and photos-revealing iPhone lockscreen attack

Smartphone security is all about balance, finding ways to deliver the functionality and convenience we desire while taking reasonable steps to keep our data secure: go too nuts with the security precautions and the phone becomes a pain to use (or maybe worse, only performs the most basic operations), but dial things back too far and you’ve got a wide-open phone that’s not doing enough to keep private information private. Apple’s long struggled with how to deliver the convenience of Siri voice control while still enforcing device security, and over the years we’ve seen no shortage of Siri-driven exploits aiming to bypass the iOS lockscreen. Today we check out the latest of these attacks to find publicity, exposing the contact list and photos on target phones.

The vulnerability, which is present in Apple’s latest iOS 9.3.1, taps into both Siri and 3D Touch, requiring the use of an iPhone 6s or 6s Plus. First an attacker needs to activate Siri, then use the service to perform a Twitter search. The key here is searching for a string that will return tweets containing email addresses.

From there, the attack leverages 3D Touch to attempt to add that email to the phone’s contacts, exposing them in the process. That also opens the window for browsing through photos in order to choose a contact pic, exposing even more user data.

The good news is that there are mitigations that can prevent all this from happening – but you’ll lose a little functionality in the process. The key bit is manually going into system settings and disabling Siri’s ability to access Twitter. Going further, you could even prevent Siri from accessing your photos, or disable lockscreen Siri access altogether.

Source: videosdebarraquito (Twitter)
Via: iClarified

Share This Post

Watch the Latest Pocketnow Videos

About The Author
Stephen Schenck
Stephen has been writing about electronics since 2008, which only serves to frustrate him that he waited so long to combine his love of gadgets and his degree in writing. In his spare time, he collects console and arcade game hardware, is a motorcycle enthusiast, and enjoys trapping blue crabs. Stephen's first mobile device was a 624 MHz Dell Axim X30, which he's convinced is still a viable platform. Stephen longs for a market where phones are sold independently of service, and bandwidth is cheap and plentiful; he's not holding his breath. In the meantime, he devours smartphone news and tries to sort out the juicy bits Read more about Stephen Schenck!