Blog: DFIR
You lost your iPhone, but it’s locked. That’s fine, right?
TL;DR
- Default iOS configuration leaves your locked device vulnerable
- Ensure your emergency contacts are set.
- Use ‘FindMy’ to track / wipe lost devices.
- Take regular backups.
- Consider turning off the lock screen message previews.
Introduction
Picture this: you’ve lost your iPhone. Luckily, it’s locked, so no one can access it, right? Well, not exactly. Apple’s iOS settings can create surprising vulnerabilities, even when locked. A colleague of mine, Lambros, recently explored the risks of losing a smartphone, and today, I’m diving into what someone could do with your locked iPhone if it ends up in the wrong hands.
How default iOS settings create vulnerabilities
The default iPhone settings allow Siri access from the lock screen, with voice-activated commands like “Hey Siri” or pressing the side button to activate Siri even when the device is locked. This setting, coupled with another default—showing message previews on the lock screen—opens doors for misuse if your iPhone is misplaced or stolen.
What default looks like
The default configuration for iOS devices is to Allow Siri When Locked by using the commands Siri and / or Hey Siri or by pressing the device’s side button, as shown below.
Figure 1 – iOS Siri & Search Default Configuration
Without manual input, Siri can place calls and / or send text messages to a named contact or verbalised phone number, as well as create alarms, reminders, calendar entries and other routine tasks, all from a locked device.
iOS devices can also, under certain conditions, present a list of saved contacts to the user despite being locked.
For example:
- You ask Siri to call ‘Tim ABC’ and the call is placed to a contact saved as ‘Tim ABC’.
- You ask Siri to call ‘Tim’ and you are presented with a list of all contacts including the name ‘Tim’.
- You ask Siri to call ‘ABC’ and you are presented with a list of all contacts including ‘ABC’, as shown in the below screenshot.
Figure 2 – Siri Presents Multiple Options Containing ‘ABC’
Upon being presented with a list, the user can then select a contact, and the call is then placed from the iPhone’s lock screen.
It is worth noting that Siri appears to learn from user behaviours, for example, if the device has interacted with ‘Tim ABC’ more frequently than ‘Jack ABC’, Siri may place the call directly to ‘Tim ABC’ rather than present the list shown above when asked to place a call to ‘ABC’.
Siri can also be leveraged to send messages from a device’s lock screen. Even more concerningly, a message can be formulated easily through the use of an on-screen keyboard, all from the device’s lock screen.
Figure 3 – Editing a Message Initiated via Siri
What are the implications?
Now, let’s consider that a misplaced iPhone finds itself in the wrong pair of hands. We’ve all received spam messages, in some format, asking for money, right? Well, what if that message asking to borrow money actually came from a trusted phone number, which you exchange messages with frequently? You can see where I’m going with this…
- Attacker: “Hey Siri, send a message to Mum”
- Siri: “What do you want to say?”
- Attacker: “Hi Mum, the boiler’s broken and I don’t have the money to fix it, would you possibly be able to lend me £500 please? I’m sorry to ask, but I’ll pay you back next month. Please can you send the money to *insert account details here*. Thank you!”
Couple this with the fact that the default setting in iOS is to always show previews of messages on the device’s lock screen so the device user can also read any replies and reply accordingly. This could become a pretty expensive and dangerous game.
Figure 4 – Lock Screen Message Preview
Figure 5 – Default Preview Settings
How to avoid this
We recommend disabling the ‘Allow Siri When Locked’ feature. Now, you may wonder, what happens if you lose your phone then? Well, of course, you can still call from another number and hope that a good-natured person will pick up and reunite you.
However, to be safe, here are a few things we recommend alongside disabling the use of Siri from your device when locked:
- Ensure that your Emergency Contact details are set up and up to date (these can be accessed via the emergency call screen from a locked device) and notify said person. (Settings -> Emergency SOS -> Set up Emergency Contacts in Health).
- Consider using an application such as the iOS ‘Find My’ application, which will allow you to track your device and remotely wipe if necessary.
- Create regular encrypted backups of your data. Should anything happen to your iPhone, you can write your backup data to your new device somewhat effortlessly.
- Change the ‘Show Previews’ setting to ‘When Unlocked’ or ‘Never’. (Settings -> Notifications -> Show Previews).
Conclusion
It’s generally good privacy and security practice to lock your device down out of the box. It doesn’t take long. There’s a comprehensive guide for you here.