Blog article
See all stories »

Apple's Siri - iPhone security hole

Spear phishing is a powerful fraud technique. The objective is to get sensitive/confidential data which can then be used to mount at attack. A combination, for example, of my home and mobile numbers, as well as my work and personal email addresses is a valuable tool in "capable" hands.

Obtaining such data is not easy, but Siri can help.

Grab your target's LOCKED (!) iPhone, then press and hold the Home button to wake up Siri. Ask her for "My name". Then for "My email address". 

Next, request data on "My wife" (Siri prefers "My spouse", actually). Then try some names - e.g. John or Peter - to get FULL details from Address Book. Try "Lloyds" ("Barclays", "HSBC" and other major banks) to see what useful data is available there. 

You can send SMS to or call any of the numbers you see. Very handy if your target has some number for alternative low-cost telecom companies - dial the access number, then you can all anyone in the world, for FREE! With the phone still locked...

I'll leave the rest to your imagination. (Siri won't show your photos or launch apps - you do need to enter PIN for that - but there are some other neat tricks for exploiting that security hole, which I won't describe here...)


Apple has the best security implementation in the industry, both on the s/w and h/w levels. I do hope it tells Siri off soon, especially if Apple is serious about entering the payments playground.

P.S. Apparently, that Siri exploit is an old hat: it's been known since... 2011.


Comments: (2)

A Finextra member
A Finextra member 26 May, 2014, 07:08Be the first to give this comment the thumbs up 0 likes This is a tradeoff between ustability and security. The Siri features was never meant to be secure and if they are misused it only creates a problem for single users. Business logics then tells Apple to move on as before. By the way: Have you ever thougt about how the spell checker works? It comes up with suggestions that are my own spelling mistankes and abbreviations which proves that apps definetly leak data to the phone operating system or very likely to a server as well. (Used to build dictionaries..?)
Matt Scott
Matt Scott - Fiserv Inc - London 27 May, 2014, 15:12Be the first to give this comment the thumbs up 0 likes

I've disabled Siri - not because I am overly Security-sensitive - but because iOS is not smart enough to detect when my mobile drops to GRPS or EDGE connectivity (which doesn't offer enough Bandwidth to support the Siri Cloud Assistance Service).  I would have expected the device to be smart enough to drop into Voice Control (which is an offline service provided by the handset).  Even Voice Control spuriously phones random numbers when I am trying to command it using my handsfree kit... growing tired of Apple related issues (having been an Apple convert since 2003) - typing this on my first (personal) non-Apple Laptop since then...

Retired Member

Member since

19 Mar 2009


Blog posts




This post is from a series of posts in the group:

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.

See all