You’ve got a ton of very personal information on your phone. Text messages. Emails. Browsing history. Photos. The last thing you want is someone getting their hands on your phone and accessing all that data. That’s why you lock your phone down with a password, code, pattern, or fingerprint.
If you’re an iPhone owner, however, someone can trick your phone into spilling some of your secrets even if you’ve done that. All they have to do is ask Siri for a little help.
There are several steps involved, but the process is fairly simple. The first step is for the attacker to determine the iPhone’s phone number, which Siri is happy to provide. A call is placed from another phone which is answered with a custom text reply. Instead of actually entering a message, Siri is called into action again.
This time it’s to enable VoiceOver, an accessibility feature that allows users to make gestures to interact with iOS. Then it’s simply a matter of tapping the right parts of the screen. It might take a few tries, but eventually iOS responds by popping up icons next to the text input area that allow the attacker to jump into your contacts and photos.
Here’s one demonstration of the attack that was posted to YouTube:
Again, someone can do this even if you’ve secured your iPhone with a passcode or set up Touch ID. The vulnerability exists on all version of iOS 8.0 to 10.2.
Fortunately, it’s a fairly easy attack to block until Apple delivers a fix. All you have to do is disable Siri on the lockscreen. You can do that by going to Settings >> General >> Passcode Lock. Ultimately this exploit is nowhere near as dangerous as the one revealed last week that can force your iPhone to call premium-rate numbers.