The iPhone lockscreen has never been completely secure. Past exploits allowed random people to access your photos or to make calls with a few choreographed swipes. The latest, however, can grant access to your full contact list through Siri and let a stranger call, text or email anyone they want from your number.
Discovered by Egyptian neurosurgeon and part-time hacker Sherif Hashim, this vulnerability affects any iPhone running iOS 7.1.1 that has Siri enabled on the Lock Screen, which is the default setting. To skirt around the lockscreen, all you have to do is pull up Siri and give her a simple verb like “Call”, “Text” or “Email”. Siri will ask you whom you want to contact, and you can manually type in a single letter. That will prompt Siri to ask you to clarify and will also give you an “Other…” option that will open up the iPhone user’s entire contact list. You’re simply tricking Siri into doing what you want.
Hashim posted a video of the trick, showing the process at work on an iPhone 5S. We were easily able to replicate the exploit with an iPhone 5, and there’s no reason to believe this wouldn’t work on an iPhone 4 or an iPad that’s running the same version of iOS.
It takes a little bit of finesse for a stranger to get to the stage where he can email, text, or call anyone on your contact list — but not much. The intruder needs to know what he’s looking for, although that’s not too hard once he gets past the lockscreen and sees the whole list. Once the intruder finds, say, your boss’s name on the list, he can easily send a disparaging text message or a resignation email. He can even trick Siri into sharing the contact information for future reference. Your boss would have no idea it wasn’t you.
In the meantime, the best fix is just to disable Siri on the lockscreen if you’re paranoid. From there all you can do is just wait for the next version of iOS. [NBC News]