Apple’s latest operating system, iOS 9, has been steadily rolling out to consumers over the last month or more. Among its many new enhancements is a bevy of fresh apps, a low power mode to conserve energy, Wi-Fi Assist to ensure quick and constant access to the web, and an updated version of Siri – all wrapped up in an attractive new interface. Unfortunately, iOS 9 hasn’t been quite the rousing success that Apple envisioned. While the initial response to the new operating system was largely positive, the last few weeks have seen the discovery of a few flaws that could potentially leave iPhones vulnerable to be hacked. Two flaws in particular make it possible for hackers to gain access to a locked iPhone using Siri, Apple’s patented personal assistant.
Hack #1 – Calling Out Around the World
The first flaw to be uncovered by security experts makes it possible for criminals to use Siri to bypass pin numbers and fingerprint scanners to make calls from any locked device. The hack doesn’t even require much skill on the part of the criminal, and can be accomplished in a matter of seconds. All they have to do is input a random pin number to ‘wake up’ the phone, and then simply ask Siri to make a call. Because Siri is always on (one of the new iOS 9 enhancements), and always waiting for a voice command, it responds as instructed and connects the caller. The hacker doesn’t need to crack the user’s password or fool the unit’s fingerprint scanner. This has the potential to put millions of iPhone users at risk for unexpected, and excessive, phone bills. Should your iPhone be lost or stolen, anyone with a little know how can use it to make any number of long distance or premium number calls, with you footing the bill.
Fortunately, iPhone owners can easily protect themselves by switching Siri off via their settings menu. Once disabled, users can still use Siri, but only after unlocking their handset with a pass code or via the fingerprint ID scanner. Still, while this is an easy enough fix it is important to point out that Siri is activated by default, so even if you never use Apple’s personal assistant it will remain active, and vulnerable to hacking, until you disable it.
Hack #2 – An Invasion of Privacy
The second Siri hack is a bit more complicated, and can potentially grant criminals access to some of the user’s personal information. Again, this trick bypasses both pin number and fingerprint scanner, using Siri as an entry point to the iPhone. All the hacker needs to do is input four false pass codes and, midway through the fifth, hit the handset’s home button to activate the personal assistant. Then, using Siri, it’s a simple matter to create a new contact to access the iPhone’s Contact List. A hacker can also use Siri’s clock app to share a current location, which immediately gives them access to the iPhone’s messaging apps and photo album. While this information may not seem particularly valuable to criminals, access to a person’s contact list and photo store can be used to commit further cyber crimes. If nothing else, it is an extremely unwelcome invasion of privacy.
Protecting yourself from this second Siri hack is relatively easy. Apple has already released an update to iOS 9 which includes a fix for this flaw, so if you have received the iOS 9.1 update you should be protected. Failing that, users can always disable Siri entirely (just as suggested for the calling hack we discussed above) until you receive the latest security updates from Apple or your mobile network provider.
While neither of these hacks may seem particularly earth shattering, they do illustrate the security challenges facing smartphone manufacturers and software developers. With each iteration of an operating system, the new apps and features create new potential vulnerabilities which must be accounted for and eliminated. Quite often, in the rush to deliver upgrades, developers fail to fully explore all potential hacking scenarios, which is something the criminal class depends upon. For hackers, every shortcut taken by a software developer is an opportunity, and they are more than eager to exploit all of those potential vulnerabilities.