Hacker claims Siri bypasses passcode to allow access to iOS 7 contacts

ios-7-logoEgyptian neurosurgeon and part-time iPhone baseband hacker Sherif Hashim appears to demonstrate a privacy failure in iOS 7 that allows a user to access the contact list on an iPhone even when the phone is locked. The trick takes advantage of a glitch in Siri that occurs when the voice assistant is available on the lock screen of the device.

In the video below, Hashim walks us through the trick that requires a user to activate Siri and access the contact list by saying “Contacts.” This will fail when Siri prompts the user to enter their passcode. The user can then hit “Cancel” and ask Siri again to make a call by saying “Call.” Siri then asks the user “With whom would you like to speak?,” allowing the user to enter a letter like “A” and access all the contacts that begin with the letter “A.”

You can see the trick demonstrated in the video below.

The hack requires physical access to the phone as well access to the iOS 7 version of Siri on the lock screen. I was not able to replicate the full procedure on my device, but I could pull up contacts by randomly saying name like “David.”

If it were replicated, this apparent easy access to the contacts list could be troubling to iOS owners who want their address book to remain private. If this is an issue for you, then you should take a few minutes to disable Siri on your lock screen using these instructions.

What do think of this discovery? Were you able to replicate it? Is it something to be concerned about?