Cenzic Researchers Uncover iOS7 Backdoor Vulnerability that Enables Pretenders to Act on a Users’ Behalf – Even When iPhones are Locked

A major flaw in SIRI enables unauthorized users to send email, post to Facebook and Twitter, and send messages

By Tyler Rorabaugh, VP of Engineering, Cenzic

Imagine someone stealing your iPhone and — without knowing your passcode – sending messages, email, or social network postings to your friends and contacts, posing as you.

Impossible? Not with the Apple’s new iOS 7, which many users are installing this week. Researchers on my team here at Cenzic have discovered that a security flaw in SIRI, Apple’s voice-activated personal assistant, will allow any user to bypass controls on a locked iPhone and take action on the user’s behalf. Our Security Engineers, Abhishek Rahirikar and Michael Yuen, found the vulnerability in the past 24 hours and report that the weakness is directly within SIRI and compromises iOS 7’s ability to control common tasks that should be based on permissions.

Video: iOS7 Backdoor in Action

In this YouTube video (http://youtu.be/DVpPsUhKz9s ), Rahirikar and Yuen demonstrate their ability to use the SIRI function on my iPhone to make a Facebook posting on my page and update my status – all while using my locked iPhone running iOS 7.

The SIRI flaw can be used to operate many other iPhone functions that would normally require user permissions, even when the iPhone is locked. Among the operations that our researchers were able to accomplish on a locked iPhone include the ability to:

  • Call any phone
  • Send messages using iPhone owner’s identity
  • Send email using iPhone owner’s identity – This could enable phishing attacks
  • View calling history – Exposes information on recent calls and calling partners
  • View limited contacts – Enables attackers to discover details on specific, known contacts
  • Discover personal information of contacts with common, easily-guessed names
  • Post on Twitter
  • Post on Facebook
  • Get addresses saved in Apple Maps

Some of these functions were found to be accessible on older iPhones as well, including those using iOS 6.  Cenzic’s researchers confirmed that iOS 6 users can also use SIRI to post on Twitter and Facebook on your behalf, provided both accounts are set up and SIRI is enabled. Twitter and Facebook posting is possible only when Twitter and Facebook accounts are configured at: Settings -> Facebook as well as Setting->Twitter.

This vulnerability indicates that there is a thin line between security and convenience. Functionality like calling phone numbers, sending messages and sending emails, even if the phone is locked, can be debated as security over convenience but there is no setting that can control this if Siri is enabled. A user might need to disable SIRI completely to stop this.

Cenzic encourages all iPhone users to be aware of these flaws, and never hand over their iPhones to untrusted individuals. In the wrong hands, your iPhone could lead to compromise of your identity, even when it is locked and protected by a password. Cenzic also calls on Apple to look into these vulnerabilities and remediate them as soon as possible. A patch is sorely needed, not only in iOS7 but in older versions. On a broader scale, Cenzic encourages all enterprises to do careful scanning of all new applications introduced to the organization, particularly mobile applications, which have frequently been found to be vulnerable to attack.


*** Abhishek Rahirikar and Michael Yuen, Security Engineers at Cenzic, contributed to this blog post, given their research findings.***

 

16 thoughts on “Cenzic Researchers Uncover iOS7 Backdoor Vulnerability that Enables Pretenders to Act on a Users’ Behalf – Even When iPhones are Locked

  1. Pingback: iOS 7 Lockscreen Bypass Discovered | Threatpost

  2. Pingback: iOS 7 Plagued By Yet Another Lockscreen Bypass Flaw « Cyber Security Aid

  3. Pingback: iOS 7 Vulnerability Lets Attackers Control iPhones With Siri's Help

  4. Pingback: Los hackers pueden explotar un fallo de Siri en iOS 7 para enviar correos electrónicos y publicar en Facebook – Vídeo

  5. Pingback: Georgesarena | iOS 7 Flaw Lets Anyone Use Locked iPhone

  6. Pingback: Breaking: iOS 7 Bug Lets you Call any Number - Ultra Infoz

  7. Pingback: Apple’s iPhone 5s fingerprint scanner reportedly hacked by German group – Washington Post – The News On Tour

  8. Pingback: Apple’s iPhone 5s fingerprint scanner reportedly hacked by German group – Washington Post | Explosion Proof Sensors

  9. So, I wouldn’t call this a flaw… when you choose to enable the lock screen functionality there’s a sub-option to disable SIRI from the lock screen. It may be an incredibly insecure convenience-option (I don’t feel like typing my pass code to use SIRI…), but definitely not a flaw.

  10. Paul,

    I disagree, it violates Triple A as you have to disable SIRI from locked in order to disable the permissions. There’s no way to modify the permissions for specific settings.

    • Tyler,

      I think this is a case of, “Ooh! I found a vulnerability in APPLE’s operating system! Look at me!!”

      I still think it’s a stretch to call it a vulnerability. What you’re talking about would be a “nice-to-have” but still doesn’t define the current as configuration vulnerable. What would you propose be available from SIRI on the lock screen? Anything SIRI does requires data usage. Some would argue that an unauthorized user using data is a vulnerability/flaw. I think the solution is already in place, if you leave your phone in places where unauthorized users can use SIRI, then just disable SIRI from the lock screen!

  11. Pingback: Flaws in iOS 7 Allow Attackers to Take Control | Technology, Security, and the Consumer

  12. Pingback: iOS 7 Plagued By Yet Another Lockscreen Bypass Flaw | IT Security

  13. Pingback: One Day In, Apple's Fingerprint Scanner Has Already Been Hacked - TechnoCentrics

  14. Pingback: My top ten security stories of the week | David Strom's Web Informant

  15. Pingback: Cenzic Researchers Uncover New Vulnerability in Apple's iOS 7

Comments are closed.