Smartphone security is all about balance, finding ways to deliver the functionality and convenience we desire while taking reasonable steps to keep our data secure: go too nuts with the security precautions and the phone becomes a pain to use (or maybe worse, only performs the most basic operations), but dial things back too far and you’ve got a wide-open phone that’s not doing enough to keep private information private. Apple’s long struggled with how to deliver the convenience of Siri voice control while still enforcing device security, and over the years we’ve seen no shortage of Siri-driven exploits aiming to bypass the iOS lockscreen. Today we check out the latest of these attacks to find publicity, exposing the contact list and photos on target phones.
The vulnerability, which is present in Apple’s latest iOS 9.3.1, taps into both Siri and 3D Touch, requiring the use of an iPhone 6s or 6s Plus. First an attacker needs to activate Siri, then use the service to perform a Twitter search. The key here is searching for a string that will return tweets containing email addresses.
From there, the attack leverages 3D Touch to attempt to add that email to the phone’s contacts, exposing them in the process. That also opens the window for browsing through photos in order to choose a contact pic, exposing even more user data.
The good news is that there are mitigations that can prevent all this from happening – but you’ll lose a little functionality in the process. The key bit is manually going into system settings and disabling Siri’s ability to access Twitter. Going further, you could even prevent Siri from accessing your photos, or disable lockscreen Siri access altogether.