
IOS 7 Passcode Security Flaw - butler14
http://www.acbcases.com/blogs/news/9255701-ios-7-security-flaw-must-read
======
f055
Somebody got too excited - this is a feature, not a flaw. Also, it's getting
boring, these lock screen "hacks" that half the time are intentional
behaviours. True hack would be accessing your phone remotely. If you at any
point allow the "hacker" a physical access to your phone then you either
shouldn't store all these TOP SECRET documents there, or change friends
(because I assume most of these lock screen "hacks" are used for pranks - I
can't imagine leaving my phone unattended outside my home)

~~~
mikemoka
If this is a feature it is a badly designed one because this could be a real
problem if your phone is stolen and you don't notice for instance, they should
have added a voice identification system or similar to balance convenience and
security, at least on the first use to open a timed session, which is totally
in their capabilities in my opinion.

~~~
farmdawgnation
This feature is only badly designed in that it's not communicated during the
setup process that Siri will still work. This _is_ a feature, it can be turned
off, and is 100% intentional.

The security your propose doesn't provide enough security to be worth the
effort. (Hello tape recorder!)

------
lewispb
Swipe up on the locked phone to get to the control panel

Open the stopwatch app

Go over to alarm clock

Hold the power button until you get the "Power down" prompt

Hit the cancel button and immediately hit the home button twice, holding it
down just a little longer on the second press. It takes a try or two to get
the hang of.

Then you're in the target's multitasking menu

Go to the camera app, view photos, and you can share the pictures from there
with email, Twitter, and more.

~~~
ZoFreX
> Then you're in the target's multitasking menu

Neat, but you can't actually go into any app other than the clock app -
tapping apps in the multitasking menu does nothing.

> Go to the camera app, view photos, and you can share the pictures from there
> with email, Twitter, and more.

I just see a message telling me I can't see the photos without unlocking the
device first.

My question is... how on earth did you figure that first one out??

------
parennoob
"........have stumbled across a huge security flaw"

for a behaviour which is careless at worst, and _an actual option in the pass
lock settings_.

This may be a controversial viewpoint, but I definitely think the massive
attention given to security problems is causing these people to hype up some
feature they don't like as an important security flaw. This is ridiculous.

(Also a reason why rampant 'technology press' 'reporting' should typically be
ignored, I'll bet this is already making the round on MacRumors and similar
rags.)

------
onedognight
Apple has thought about the security vs. convenience tradeoff here. That's why
this setting exists.

    
    
        Settings -> General -> Pass Code Lock -> Allow Siri

------
martin-adams
If only Siri could validate it was your voice making the commands. But with my
experience of Siri on the 4S with iOS 6, Siri fails most of the time with the
simple things like "Call [name] mobile" but worse, takes ages to even fail
(due to network flakiness though).

------
interpol_p
As far as I am aware this is intentional behaviour, with the ability to opt-
out.

These guys should turn the " _Allow access to Siri when locked with a
passcode_ " option to _off_.

~~~
splitbrain
Shouldn't that be the default, then? (I don't have an iPhone so I can't check
it)

~~~
interpol_p
It is not the default. That would negate much of the useful functionality of
Siri.

Being able to trigger it and make requests without looking at my phone is one
of the key reasons I use it.

It's a convenience / security trade-off that is under the user's control in
Settings.

------
btucker
If I remember correctly, in iOS6 when interacting with Siri while the phone
was locked, Siri would respond to certain commands by telling you that you
needed to enter your passcode to do that.

------
pedalpete
I just tried it, and I couldn't get it to update my facebook, it just kept
saying "command not found". Though I have to admit, I don't use Siri. It did
seem that I would have been able to place phonecalls, but the numbers I tried
were International, and I don't have an international plan.

------
mikemoka
If this is true it is an impressive security debacle for a company like Apple,
"allow siri access while the iPhone is locked" should clearly be off by
default, and the user should be alerted about the potential dangers when
deciding to turn it on.

~~~
interpol_p
I was under the impression that this was by design. I guess it depends what
expectations you have for a passcode lock.

My expectation is that my phone is reasonably secure from co-workers when I
leave it on my desk for fifteen minutes at a time. And that if stolen, I have
enough time to remote-wipe it before the passcode is bypassed.

~~~
mikemoka
When a door is locked I don't expect it to open by saying "let me through",
with all the specific differences I think this is a reasonably common
expectation to have.

~~~
interpol_p
I am quite sure that is not correct in this case.

You have some limited access to features while Siri is on, only if the allow
with passcode option is enabled. You do not have full run of the entire phone,
nor are you able to bypass the lock screen.

