WWDC 2013 - iOS 7 - Siri - 003

The mobile OS you’re using has experienced its share of exploits. On the side of iOS—considered one of the most secure—we’ve seen people easily gain access to photos, turn off Find My iPhone, and skirt past security pass codes. This latest flaw, discovered by Sherif Hashim, a neurosurgeon by day and part-time hacker by night, makes it super easy to access a phone’s contacts right through Siri—and it hardly takes any effort at all.

The trick is simple if Siri is enabled on your lockscreen, which it is by default. To get past the lockscreen, simply bring Siri up and either tell her to “Call,” “Text,” or “Email,” without being specific. Siri will then ask who it is you want to contact, giving you the opportunity to edit your request in the upper right hand corner. There, you can then enter in any name in the contacts, giving you direct access to that person’s phone number.

Hashim’s video demonstrating the little exploit is even worse than that, however. If your address book is setup in a specific way, you can edit your Siri request to say “Call a” (or any other letter), which will then bring up contacts with the letter “a” as their first or last name. You’ll get a list of those contacts, along with an “Other” option, which will then allow you to bring up that phone’s entire list of contacts. The trick isn’t hard to execute at all—I was able to do it on an iPhone 5c, and there’s nothing to suggest it won’t work on other Apple devices running iOS 7.1.1.

To most people, this isn’t a huge deal, and if even a thief does nab your device chances are they aren’t interested in your contacts. Still, there’s potential for someone to text, call, or email one of your contacts without your permission—all it takes is a little finesse and Siri’s boneheaded intelligence. Try explaining to your boss someone hacked your iPhone through Siri after he or she receives a bad message or phone call.

If you’re really paranoid, you can simply disable Siri from your lockscreen. If you don’t, getting information for a contact on a stranger’s iPhone is super simple.