Apple's Siri - iPhone security hole

Spear phishing is a powerful fraud technique. The objective is to get sensitive/confidential data which can then be used to mount at attack. A combination, for example, of my home and mobile numbers, as well as my work and personal email addresses is a valuable tool in "capable" hands.

Obtaining such data is not easy, but Siri can help.

Grab your target's LOCKED (!) iPhone, then press and hold the Home button to wake up Siri. Ask her for "My name". Then for "My email address". 

Next, request data on "My wife" (Siri prefers "My spouse", actually). Then try some names - e.g. John or Peter - to get FULL details from Address Book. Try "Lloyds" ("Barclays", "HSBC" and other major banks) to see what useful data is available there. 

You can send SMS to or call any of the numbers you see. Very handy if your target has some number for alternative low-cost telecom companies - dial the access number, then you can all anyone in the world, for FREE! With the phone still locked...

I'll leave the rest to your imagination. (Siri won't show your photos or launch apps - you do need to enter PIN for that - but there are some other neat tricks for exploiting that security hole, which I won't describe here...)

Enjoy!

Apple has the best security implementation in the industry, both on the s/w and h/w levels. I do hope it tells Siri off soon, especially if Apple is serious about entering the payments playground.

P.S. Apparently, that Siri exploit is an old hat: it's been known since... 2011.