Latest Siri exploit is super-specific (and avoidable)

By

Siri
It's possible for Siri to be too helpful.
Photo: Jim Merithew/Cult of Mac

Siri might be a (halfway) decent digital assistant, but Apple’s AI helper makes for a lousy security guard.

We’ve heard about a bunch of “sneaky” ways that evildoers can use Siri to get access to your photos, contacts or completely unlock your phone without entering a passcode or using Touch ID. Luckily, most of these “security problems” are bogus, but a newly discovered one is for real.

The good news, however, is that this Siri exploit only affects certain iPhone models and is completely preventable.

John Rodriguez demonstrates the latest trick in the video below (via AppleInsider), and while his device has Siri running in Spanish, we’ve confirmed that it works just as well if the assistant is running American English.

From his lock screen, Rodriguez asks Siri to search Twitter and then pulls up an account that contains an e-mail address in its bio. He uses 3D Touch to open a menu that will let him either add the address to an existing contact or create a new one, and that’s where the trouble is.

Choosing “existing contact” opens up the full Contacts list, and that’s bad enough. But creating a new entry will also give the person doing this trick full access to your photos. Rodriguez says that this also works with WhatsApp searches from the lock screen.

Because it uses 3D Touch, the Siri exploit only works on the iPhone 6s or 6s Plus. And fortunately, the settings that give the helperbot access are switched off by default. But if you want to make sure your phone is locked up tight, here’s where to look:

Disable-Siri-Exploit-Twitter

All you need to do is go to Settings > Twitter, and then uncheck the box next to “Siri” under “Allow these apps to use your account.” If Siri has never asked for this permission, you won’t see it listed there, and you’re fine. You can also manage Siri’s access through the Privacy menu in Settings, and we’ll go there next.

This will prevent Twitter searches from the lock screen, but if you want to keep that feature and just lock down your data, you can adjust some other settings.

Disable-Siri-exploit-Photos

To keep Siri from accessing your pictures, go to Settings > Privacy > Photos, and then uncheck Siri like you did in the previous step.

If you want to be as secure as possible, just head to Settings > General > Siri and turn the digital helper off completely. But if you do, nobody will give you completely useless and funny Halloween costumes, so factor that in to your decision.