Cenzic Researchers Find New Vulnerability in Apple's iOS 7
Sep 27, 2013 (Close-Up Media via COMTEX) --
Cenzic, a provider of application security intelligence, announced that two of its security engineers, Abhishek Rahirikar and Michael Yuen, have recently discovered that a security flaw in SIRI, Apple's voice-activated personal assistant, will allow any user to bypass controls on a locked iPhone and take action on the user's behalf.
According to a release, this weakness is found directly within SIRI and compromises iOS 7's ability to control common tasks that should be based on permissions.
"It didn't take long for our research team to discover this flaw with SIRI and how the operating system was fundamentally ill designed," said Tyler Rorabaugh, Vice President of Engineering at Cenzic. "Essentially any unauthorized person or thief can take your iPhone and, without knowing your passcode, can send Tweets, Facebook posts, messages and emails, to your friends and contacts, posing as you."
Cenzic noted its researchers put together a short YouTube video last week to demonstrate their ability to use the SIRI function on an iPhone to make a Facebook posting and update a Facebook status all while using a locked iPhone running iOS 7. Among the operations that Cenzic's researchers were able to accomplish on a locked iPhone include the ability to:
-Call any phone
-Send messages using the iPhone owner's identity
-Send email using the iPhone owner's identity this could enable phishing attacks
-View calling history, exposing information on recent calls and calling partners
-View limited contacts, enabling attackers to discover details on specific, known contacts
-Discover personal information of contacts with common, easily-guessed names
-Post on Twitter
-Post on Facebook
-Get addresses saved in Apple Maps
Cenzic added that these functions were found to be accessible on older iPhones as well, including those using iOS 6. Cenzic's researchers confirmed that iOS 6 users can also use SIRI to post on Twitter and Facebook on your behalf, provided both accounts are set up and SIRI is enabled. Twitter and Facebook posting is possible only when Twitter and Facebook accounts are configured at: Settings -> Facebook as well as Setting->Twitter.
Added Rorabaugh, "This vulnerability indicates that there is a thin line between security and convenience. Functionality like calling phone numbers, sending messages and sending emails, even if the phone is locked, can be debated as security over convenience but there is no setting that can control this if SIRI is enabled. Users need to turn off SIRI in locked mode."
"When dealing with the triple A security protocol which is authentication, authorization, and accounting, mobile phones are really lacking in this area. We do not see a way to authorize only specific SIRI commands for permissions and no way to authenticate the user of the phone verbally to SIRI using voice recognition or a combination of scenarios. Instead, the user is forced to turn the feature off. The worst part is that there is no accounting record of who did what while the phone was locked," said Rorabaugh.
Cenzic's research team notified Apple of this vulnerability last week and Apple Product Security did respond, saying "iOS security settings allow you to disable SIRI when your device is locked, if desired. If you wish to do this, in Settings, under General, Passcode Lock, set the SIRI switch to Off."
Rorabaugh concluded, "The concern here is about privacy for the millions of people that leave their phones lying around in common places. It basically turns the common person into a super spy who can easily get your phone records like they work for the CIA or the NSA...and then send out an email acting as you to people on your contact list."
((Comments on this story may be sent to email@example.com))
[ InfoTech Spotlight's Homepage ]