21 April 2018


Retired Member

3,504Posts 13,435,988Views 4,273Comments
Innovation in Financial Services

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.

Apple's Siri - iPhone security hole

23 May 2014  |  4667 views  |  1

Spear phishing is a powerful fraud technique. The objective is to get sensitive/confidential data which can then be used to mount at attack. A combination, for example, of my home and mobile numbers, as well as my work and personal email addresses is a valuable tool in "capable" hands.

Obtaining such data is not easy, but Siri can help.

Grab your target's LOCKED (!) iPhone, then press and hold the Home button to wake up Siri. Ask her for "My name". Then for "My email address". 

Next, request data on "My wife" (Siri prefers "My spouse", actually). Then try some names - e.g. John or Peter - to get FULL details from Address Book. Try "Lloyds" ("Barclays", "HSBC" and other major banks) to see what useful data is available there. 

You can send SMS to or call any of the numbers you see. Very handy if your target has some number for alternative low-cost telecom companies - dial the access number, then you can all anyone in the world, for FREE! With the phone still locked...

I'll leave the rest to your imagination. (Siri won't show your photos or launch apps - you do need to enter PIN for that - but there are some other neat tricks for exploiting that security hole, which I won't describe here...)


Apple has the best security implementation in the industry, both on the s/w and h/w levels. I do hope it tells Siri off soon, especially if Apple is serious about entering the payments playground.

P.S. Apparently, that Siri exploit is an old hat: it's been known since... 2011.


Comments: (2)

A Finextra member
A Finextra member | 26 May, 2014, 07:08 This is a tradeoff between ustability and security. The Siri features was never meant to be secure and if they are misused it only creates a problem for single users. Business logics then tells Apple to move on as before. By the way: Have you ever thougt about how the spell checker works? It comes up with suggestions that are my own spelling mistankes and abbreviations which proves that apps definetly leak data to the phone operating system or very likely to a server as well. (Used to build dictionaries..?)
Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Matt Scott
Matt Scott - RenovITe Technologies Inc - London | 27 May, 2014, 15:12

I've disabled Siri - not because I am overly Security-sensitive - but because iOS is not smart enough to detect when my mobile drops to GRPS or EDGE connectivity (which doesn't offer enough Bandwidth to support the Siri Cloud Assistance Service).  I would have expected the device to be smart enough to drop into Voice Control (which is an offline service provided by the handset).  Even Voice Control spuriously phones random numbers when I am trying to command it using my handsfree kit... growing tired of Apple related issues (having been an Apple convert since 2003) - typing this on my first (personal) non-Apple Laptop since then...

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Retired's profile

job title
member since 2014
Summary profile See full profile »

Retired's expertise

Member since 2009
3499 posts4,273 comments
What Retired reads

Who's commenting on Retired's posts

Ketharaman Swaminathan
Kenneth Marritt
Mark Santall
Willem Lambrechts
Edward Sutton
Paul Love
Dharmesh Mistry