18 November 2017
Alexander Peschkoff


Alexander Peschkoff - TEDIPAY

119Posts 543,322Views 625Comments
Innovation in Financial Services

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.

Apple's Siri - iPhone security hole

23 May 2014  |  4554 views  |  2

Spear phishing is a powerful fraud technique. The objective is to get sensitive/confidential data which can then be used to mount at attack. A combination, for example, of my home and mobile numbers, as well as my work and personal email addresses is a valuable tool in "capable" hands.

Obtaining such data is not easy, but Siri can help.

Grab your target's LOCKED (!) iPhone, then press and hold the Home button to wake up Siri. Ask her for "My name". Then for "My email address". 

Next, request data on "My wife" (Siri prefers "My spouse", actually). Then try some names - e.g. John or Peter - to get FULL details from Address Book. Try "Lloyds" ("Barclays", "HSBC" and other major banks) to see what useful data is available there. 

You can send SMS to or call any of the numbers you see. Very handy if your target has some number for alternative low-cost telecom companies - dial the access number, then you can all anyone in the world, for FREE! With the phone still locked...

I'll leave the rest to your imagination. (Siri won't show your photos or launch apps - you do need to enter PIN for that - but there are some other neat tricks for exploiting that security hole, which I won't describe here...)


Apple has the best security implementation in the industry, both on the s/w and h/w levels. I do hope it tells Siri off soon, especially if Apple is serious about entering the payments playground.

P.S. Apparently, that Siri exploit is an old hat: it's been known since... 2011.


Comments: (2)

A Finextra member
A Finextra member | 26 May, 2014, 07:08 This is a tradeoff between ustability and security. The Siri features was never meant to be secure and if they are misused it only creates a problem for single users. Business logics then tells Apple to move on as before. By the way: Have you ever thougt about how the spell checker works? It comes up with suggestions that are my own spelling mistankes and abbreviations which proves that apps definetly leak data to the phone operating system or very likely to a server as well. (Used to build dictionaries..?)
Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Matt Scott
Matt Scott - RenovITe Technologies Inc - London | 27 May, 2014, 15:12

I've disabled Siri - not because I am overly Security-sensitive - but because iOS is not smart enough to detect when my mobile drops to GRPS or EDGE connectivity (which doesn't offer enough Bandwidth to support the Siri Cloud Assistance Service).  I would have expected the device to be smart enough to drop into Voice Control (which is an offline service provided by the handset).  Even Voice Control spuriously phones random numbers when I am trying to command it using my handsfree kit... growing tired of Apple related issues (having been an Apple convert since 2003) - typing this on my first (personal) non-Apple Laptop since then...

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Latest posts from Alexander

Second bite of Apple

24 September 2017  |  3748 views  |  0 comments | recomends Recommends 0 TagsPaymentsInnovationGroupFintech innovation and startups

Loyalty is a four-letter word

06 May 2017  |  5854 views  |  1 comments | recomends Recommends 1 TagsRetail bankingStart upsGroupFintech innovation and startups

Before they move us, we move them

14 April 2017  |  6055 views  |  2 comments | recomends Recommends 0 TagsMobile & onlineInnovationGroupFuturistic Banking

Tap-n-PIN mystery

23 February 2017  |  4352 views  |  3 comments | recomends Recommends 0 TagsCardsPaymentsGroupFintech innovation and startups

Alexander's profile

job title CEO
location London
member since 2012
Summary profile See full profile »
I am the co-founder and CEO of TEDIPAY, the company that is bringing to the market a game-changing platform for secure mobile transactions.

Alexander's expertise

Member since 2012
115 posts625 comments
What Alexander reads

Who's commenting on Alexander's posts

Paul Love
Ketharaman Swaminathan
Anthony Pickup
Alex Lithgow Smith