iPhone 4’s Siri gives access to locked phone

The hugely-popular Siri voice-activated personal assistant in the iPhone 4S has a big security flaw – it responds to commands even when the phone is password-locked.

Siri allows the iPhone 4S to be controlled by voice commands, and even chats rather engagingly with its owner. But Apple’s decided to leave Siri on all the time by default, even when the phone is locked.

This means that anybody can wander up and just press the button to send texts or emails, as well as alter the phone’s calendar – all without having to enter the passcode. It also allows music to be played.

The flaw doesn’t allow apps to be launched while the phone’s passcode locked, and can only send messages to existing contacts in the phone’s database.

And it can be fixed. Just enter ‘Settings/General/Passcode Lock’, and make sure that the ‘Siri’ option is set to ‘Off’. This doesn’t turn Siri off altogether, but means it will no longer work when the phone’s locked with a passcode.

“What’s disappointing to me, though, is that Apple had a clear choice here,” says Graham Cluley of Sophos.

“They could have chosen to implement Siri securely, but instead they decided to default to a mode which is more about impressing your buddies than securing your calendar and email system.”