Cenzic Researchers Uncover New Vulnerability in Apple's iOS 7

SIRI on iPhone found to be vulnerable to attacks when enabled in locked mode

Allows unauthorized users to send email, make phone calls, obtain phone call history, send messages and update social networks even when the iPhone is locked

Sep 24, 2013, 11:30 ET from Cenzic

CAMPBELL, Calif., Sept. 24, 2013 /PRNewswire/ -- Cenzic, a leading provider of application security intelligence to reduce security risk, today announced that two of its security engineers, Abhishek Rahirikar and Michael Yuen, have recently discovered that a security flaw in SIRI, Apple's voice-activated personal assistant, will allow any user to bypass controls on a locked iPhone and take action on the user's behalf. This weakness is found directly within SIRI and compromises iOS 7's ability to control common tasks that should be based on permissions.

"It didn't take long for our research team to discover this flaw with SIRI and how the operating system was fundamentally ill designed," said Tyler Rorabaugh, Vice President of Engineering at Cenzic. "Essentially any unauthorized person – or thief – can take your iPhone and, without knowing your passcode, can send Tweets, Facebook posts, messages and emails, to your friends and contacts, posing as you."

Cenzic's researchers put together a short YouTube video last week to demonstrate their ability to use the SIRI function on an iPhone to make a Facebook posting and update a Facebook status – all while using a locked iPhone running iOS 7.  Among the operations that Cenzic's researchers were able to accomplish on a locked iPhone include the ability to:

  • Call any phone
  • Send messages using the iPhone owner's identity
  • Send email using the iPhone owner's identity – this could enable phishing attacks
  • View calling history, exposing information on recent calls and calling partners
  • View limited contacts, enabling attackers to discover details on specific, known contacts
  • Discover personal information of contacts with common, easily-guessed names
  • Post on Twitter
  • Post on Facebook
  • Get addresses saved in Apple Maps

These functions were found to be accessible on older iPhones as well, including those using iOS 6. Cenzic's researchers confirmed that iOS 6 users can also use SIRI to post on Twitter and Facebook on your behalf, provided both accounts are set up and SIRI is enabled. Twitter and Facebook posting is possible only when Twitter and Facebook accounts are configured at: Settings -> Facebook as well as Setting->Twitter.

Added Rorabaugh, "This vulnerability indicates that there is a thin line between security and convenience. Functionality like calling phone numbers, sending messages and sending emails, even if the phone is locked, can be debated as security over convenience but there is no setting that can control this if SIRI is enabled. Users need to turn off SIRI in locked mode."

"When dealing with the triple A security protocol which is authentication, authorization, and accounting, mobile phones are really lacking in this area. We do not see a way to authorize only specific SIRI commands for permissions and no way to authenticate the user of the phone verbally to SIRI using voice recognition or a combination of scenarios. Instead, the user is forced to turn the feature off. The worst part is that there is no accounting record of who did what while the phone was locked," said Rorabaugh.

Cenzic's research team notified Apple of this vulnerability last week and Apple Product Security did respond, saying "iOS security settings allow you to disable SIRI when your device is locked, if desired.  If you wish to do this, in Settings, under General, Passcode Lock, set the SIRI switch to Off."

Rorabaugh concluded, "The concern here is about privacy for the millions of people that leave their phones lying around in common places. It basically turns the common person into a super spy who can easily get your phone records like they work for the CIA or the NSA...and then send out an email acting as you to people on your contact list."

About Cenzic
Cenzic provides the leading application security intelligence platform to continuously assess Cloud, Mobile and Web applications to reduce online security risk. Cenzic's solutions scale from single applications to enterprise-level deployments with hybrid approaches that enable testing of applications at optimal levels. Cenzic helps brands of all sizes protect their reputation and manage security risk in the face of malicious attacks. Cenzic's solutions are used in all parts of the software development lifecycle, and most importantly in production, to protect against new threats even after the application has been deployed. Cenzic's application security intelligence platform is architected to handle web, cloud and mobile applications and is the first to provide risk reduction recommendations for business, application developers and specific applications. Today, Cenzic secures more than half a million online applications and trillions of dollars of commerce for Fortune 1000 companies, all major security companies, government agencies, universities and SMBs. More information about Cenzic can be found at www.cenzic.com.