A major flaw in SIRI enables unauthorized users to send email, post to Facebook and Twitter, and send messages
By Tyler Rorabaugh, VP of Engineering, Cenzic
Imagine someone stealing your iPhone and — without knowing your passcode – sending messages, email, or social network postings to your friends and contacts, posing as you.
Impossible? Not with the Apple’s new iOS 7, which many users are installing this week. Researchers on my team here at Cenzic have discovered that a security flaw in SIRI, Apple’s voice-activated personal assistant, will allow any user to bypass controls on a locked iPhone and take action on the user’s behalf. Our Security Engineers, Abhishek Rahirikar and Michael Yuen, found the vulnerability in the past 24 hours and report that the weakness is directly within SIRI and compromises iOS 7’s ability to control common tasks that should be based on permissions.
Video: iOS7 Backdoor in Action
In this YouTube video (http://youtu.be/DVpPsUhKz9s ), Rahirikar and Yuen demonstrate their ability to use the SIRI function on my iPhone to make a Facebook posting on my page and update my status – all while using my locked iPhone running iOS 7.
The SIRI flaw can be used to operate many other iPhone functions that would normally require user permissions, even when the iPhone is locked. Among the operations that our researchers were able to accomplish on a locked iPhone include the ability to:
- Call any phone
- Send messages using iPhone owner’s identity
- Send email using iPhone owner’s identity – This could enable phishing attacks
- View calling history – Exposes information on recent calls and calling partners
- View limited contacts – Enables attackers to discover details on specific, known contacts
- Discover personal information of contacts with common, easily-guessed names
- Post on Twitter
- Post on Facebook
- Get addresses saved in Apple Maps
Some of these functions were found to be accessible on older iPhones as well, including those using iOS 6. Cenzic’s researchers confirmed that iOS 6 users can also use SIRI to post on Twitter and Facebook on your behalf, provided both accounts are set up and SIRI is enabled. Twitter and Facebook posting is possible only when Twitter and Facebook accounts are configured at: Settings -> Facebook as well as Setting->Twitter.
This vulnerability indicates that there is a thin line between security and convenience. Functionality like calling phone numbers, sending messages and sending emails, even if the phone is locked, can be debated as security over convenience but there is no setting that can control this if Siri is enabled. A user might need to disable SIRI completely to stop this.
Cenzic encourages all iPhone users to be aware of these flaws, and never hand over their iPhones to untrusted individuals. In the wrong hands, your iPhone could lead to compromise of your identity, even when it is locked and protected by a password. Cenzic also calls on Apple to look into these vulnerabilities and remediate them as soon as possible. A patch is sorely needed, not only in iOS7 but in older versions. On a broader scale, Cenzic encourages all enterprises to do careful scanning of all new applications introduced to the organization, particularly mobile applications, which have frequently been found to be vulnerable to attack.
*** Abhishek Rahirikar and Michael Yuen, Security Engineers at Cenzic, contributed to this blog post, given their research findings.***