A bug in Siri allows anyone to bypass a locked iPhone's passcode and access both the saved contacts and photos stored on a device.
The simple hack uses Siri's ability to search Twitter to find an email address, which can be used to open the iPhone's address book without entering the security code needed to unlock the phone.
I just found a new— Jose Rodriguez (@VBarraquito) March 31, 2016
Photos and Contacts
iPhone 6S + iOS 9.3
Waiting for Apple
bug bounty program
It is true, I'm not bluffing
The iPhone does not need to have Twitter installed, and the vulnerability exists even on the latest version of iOS, 9.3.1. It takes seconds between activating Siri by holding down the home button and accessing the phone's contacts.
However, it also requires the use of the 3D Touch function on the latest iPhone 6s and 6s Plus, so earlier models and the iPhone SE released last month are not vulnerable.
How it works
The hacker must ask Siri to find tweets including an email address, such as those with "gmail.com" in. Once they find a tweet, the iPhone's 3D Touch can be used to add that address to a contact - a process that opens up the entire address book.
When selecting a contact to add the email address to, the user can choose any of the stored contacts on the iPhone, revealing their phone numbers, email or addresses. And by selecting an option to edit a contact's profile photo, they can access the entire photo library.
The glitch was posted on YouTube by Jose Rodriguez, a specialist in iPhone hacks.
Siri has gradually become more intelligent since it was introduced on the iPhone 4S in 2011, in an attempt to allow users to quickly do tasks without having to unlock the phone and open an app, but this has created the opportunity to exploit it to access otherwise hidden material.
In many scenarios, Siri will cut off access to personal information before it can be accessed, but this bug appears to have been missed.
How to protect your phone
Apple may introduce a fix for this, but at the moment the only way to prevent it is to disable certain Siri functions.
If you want to make sure Siri can't access your address book or photos, the best way is simply to turn off access to Siri when the iPhone is locked. Go to Settings, then Touch ID & Passcode and deselect Siri under "Allow access when locked".
If you still want to use Siri when your phone is locked, you can still block access to your photos, but the hack will still be able to access your contacts. To do this, go to Settings, then Privacy, then select Photos and deselect Siri.