Apple’s Siri poses privacy and security risks for iPhone users, leaks personal information

Apple’s Siri digital assistants has been hailed as one of the best digital assistants around. It is fast, it is quirky and it has a great sense of humour but it is as much risky according to Trend Micro. Researchers at Trend Micro state that it poses a serious privacy risk for iPhone owners by leaking personal information.

According to Trend Micro, even if your iPhone is protected with a PIN or passcode, it could still be possible for someone else to use Siri to glean personal information about not just you, but your relations and other contacts, as well as details about your schedule.  The glitch which allows Siri to reveal your personal information has been described by Trend Micro as a ‘flaw’ because it creates a backdoor that enables anyone with physical access to your phone to bypass security features.

According to the researchers, iPhones which have Siri enabled on the lock screen can leak all sorts of information. In fact, malicious actors can use voice control can be used to garner all sorts of data from your phone, and even perform functions such as placing calls, sending texts, and posting social network status updates.

Researchers say that while this flaw has already been reported to Apple and raised on Apple forums several times, Apple continues to allow Siri to be enabled at lock screen so it is left for the iPhone owners to take steps to protect their information.

Leave your phone unattended and anyone is able to use Siri to check what appointments you have on a given day. They can learn your email address just by asking, and create or delete alarms. Writing on the TrendLabs Security Intelligence blog, Trend Micro says:

Ideally for the mobile device owners, voice commands could be used by law enforcement or first responders to locate the identity of an injured person and even contact a family member, using a command such as, “Call mom”. However, these commands could also be used by a malicious individual to cause harm in a friendship or relationship by a posting a Facebook status such as “now single and not looking” or “Text boyfriend…”.

Even non-iOS users may be at risk. Tens of millions of iOS mobile devices have been sold around the world. A large portion of the world’s population has at least a friend, family member, or colleague that does own an iOS mobile device with Siri enabled. As such, their contact details can be accessed on a locked screen, also putting their privacy at risk.

This is what Siri can reveal :

Here is a list of the commands that work on a locked iOS mobile device, with Siri enabled:

  • “what’s my name” — Displays and verbalizes the first and last name assigned to phone’s “My Info” selection under Siri settings.
  • “text name/number <message>” – Sends a text with the message to the contact Name or number you specify
  • “call name/number” – Calls the contact Name or number you specify
  • “post Facebook status <message>” – Posts the message to the phone’s authenticated Facebook account
  • “what’s my location” – Shows map and verbalizes current location
  • “<first name>” – Shows full contact details from Contacts that match the name spoken
  • “what’s my email address” — Displays and verbalizes the email address assigned to “My Info” selection under Siri settings
  • “wake me up at 3AM tomorrow” – Enables an alarm for the specified time
  • “cancel my alarm at 3AM” – Disables an alarm for the specified time
  • “create event/reminder/entry/appointment for <date/time>” – Creates a calendar entry
  • “show me <date/timeframe> schedule” – Displays the calendar entries for the dates or timeframes specified
  • “remove event/reminder/entry/appoint from calendar on <date/time>” – Removes the calendar entry for the specified date and time

Trend Micro offers a simple to all iPhone, iPad and iPod Touch users, disable Siri on the lock screen. It advises what Apple also shares, telling users that they can help protect themselves by heading to Settings > Touch ID & Passcode > Siri and disabling Siri.