

Siri lets anyone use a locked iPhone 4S - sspencer
http://www.cbsnews.com/stories/2011/10/19/tech/cnettechnews/main20122681.shtml

======
evan_

        > It's pretty surprising that Apple has the default
        > set to be able to use Siri without unlocking the device.
    

Siri is turned off by default, so this is actually a pretty misleading thing
to say.

~~~
tobylane
I just knew that if the first you hear of something like this is from the
mainstream press, then it's just a few less-than-bright friends of a
journalist made the same setting change.

~~~
evan_
I saw a breathless, panicked post on some forum the other day where a guy
thought he'd found a huge security flaw in iOS5- it seems if you double-click
the home button and load the camera, and then press the home button, it goes
straight to the home screen, bypassing the lock screen!

People variously could and could not replicate it, until someone finally
mentioned that the lock screen only shows if it's been locked for more than a
(user-configurable) length of time.

So when people who never use the lock screen went to turn on the lock screen
and immediately test it out, shockingly they didn't have to enter a PIN!

------
rdl
The phone iPhone passcode thing is kind of a joke, unfortunately -- it's
fairly easy to extract the encrypted image from a locked phone, then brute
force it. Since almost everyone just uses a 4-digit simple PIN, doing an
exhaustive search is faster than syncing to iTunes.

What I'd really like is TPM-type security built into the phone (and used
correctly) to protect from brute forcing a short authentication code, and
maybe multi-factor auth. e.g. if the phone is inside my house or office (was
on my secured wifi, hasn't moved), there can be less security (longer relock
interval, shorter passcode, etc.) than if I am out and about. If there were a
way to definitively link my phone to my car, I'd be fine with turning off all
passcodes -- maybe due to bluetooth pairing or something.

Biometrics might actually make sense in phones, too, although I'm not sure how
much I like the facial recognition in ice cream sandwich.

~~~
gte910h
You're allowed to use a password instead of a 4 digit passcode if you want.

Biometrics are evil. If someone wants what's in your phone that bad, you don't
want them cutting off your thumb to get it.

~~~
rdl
I do, but typing in a long passphrase every single time you unlock your phone
kind of sucks; if I had a 4 digit passcode I might set a shorter relock
interval.

I'm not so afraid of someone's stealing my phone, then coming back and cutting
off my thumb. If I were using the phone, it'd be easier to come up at gunpoint
and grab the phone while it's unlocked, if you're that paranoid (one of the
reasons highly sensitive data isn't unlocked "in the wild" in sensitive
organizations).

Simple theft or losing the phone is still the most likely, and a
biometric+PIN, securely stored on device, solves this.

High-end luxury cars have great engine immobilizer systems, which led to a lot
of carjackings, since it was easier than unattended theft, which is basically
the problem you've identified.

There are LOTS of other issues with biometrics, but they mainly come up when
they're part of a centralized service and can't be completely controlled by
the user.

------
cschep
Without severely paranoid steps being taken, if someone has your physical
device they are going to be be able to gain access to the files on that
device. This isn't hard math to do.

------
prof_hobart
If you don't select the option to block Siri without entering a passcode, then
you can use Siri without entering a passcode.

Shocking.

~~~
jasonlotito
It's that the option is enabled by default if you have Siri active. It's not
obvious, and frankly, should be fixed.

~~~
prof_hobart
It's reasonably obvious. The option appears on the screen you get as soon as
you choose your passcode.

~~~
jasonlotito
> It's reasonably obvious.

You know what else is reasonably obvious? Those checkboxes saying "Yes, I want
to also subscribe to this other site for an addition 29.95", pre-checked on
the final checkout screen.

It's not reasonably obvious that after turning the passcode on, that it
effectively doesn't secure anything, and it's irresponsible to think that way.

~~~
prof_hobart
There are a grand total of 6 fields on that screen. One of those fields is
prominantly labelled as "Siri". It's not like it's being hidden in small
print.

~~~
jasonlotito
Yes, of course I want Siri secure as well. That's why Siri's button is turned
on, to enable security. On a page where you are turning on security.

~~~
prof_hobart
So switch it to "On" then.

------
biot

      > In a default setting, Siri let's [sic] a complete stranger see
      > your calendar on your passcode locked iPhone 4S, as well as get
      > contact information, make a call and send texts and e-mails.
    

A complete stranger could also steal your phone. Solution: don't leave your
phone accessible to complete strangers.

~~~
baddox
I think the point of the passcode lock is so that if someone _does_ steal your
phone, they won't be able to get any of your personal information from it
(provided they're not tech savvy enough to do a relatively easy brute force).

------
mmuro
The entire story could have just been the last screenshot and its caption.

Full of sound and fury, signifying nothing.

------
cmer
Siri would be pretty annoying and useless if it required unlocking the phone
to use it. If it's actually a bug, I sure hope they don't fix it, or at least
make the "correct" behavior optional.

~~~
cschneid
There's a flag in settings to allow/disallow siri while locked.

~~~
qx24b
I believe the flag is actually set in the same place you enable locking of the
phone.

------
mikeash
"...unless you tell it not to." So misleading.

------
samstave
I also found that if you have iOS5 on an iPhone 4, the new camera button
allows you to access apps and what-not without unlocking the phone - though it
thinks its locked.

Double click the home button to get the camera icon, go to camera and press
home button and you can access all apps.

But if you try to go to the photo gallery, the phone tells you its locked and
wont go there.

~~~
ddagradi
Incorrect. That only works if the device doesn't require a passcode to get
past the homescreen.

~~~
samstave
Yes, I thought that might be the case - and I createda passcode after I typed
this and this is true -- however it still does not allow you to access photos
through the process I described. It shows you a locked screen.

~~~
ddagradi
Right, it only lets you see photos you've taken from the lock screen, so no
personal data is exposed.

