Security News Default iOS Settings Make Locked iPhones Vulnerable to Attacks

enaph

Level 29
Thread author
Verified
Honorary Member
Top Poster
Well-known
Jun 14, 2011
1,876
Despite common assumptions about the security of locked iPhones, default settings in iOS can expose users to serious privacy and security risks.

Security researcher Lambros revealed via Pen Test Partners how default configurations on locked iPhones allow access to features like Siri, message previews, and contact details, which can be misused by anyone who finds or steals the device. His findings underscore the importance of tweaking these settings for better protection.

iPhone risky by default​

Out of the box, iPhones are configured to allow Siri access on the lock screen through the “Hey Siri” command or by pressing the side button. This setting means anyone can potentially use Siri to make calls, send messages, or create calendar entries — even if the phone is locked. Further, iOS displays message previews on the lock screen by default, showing incoming message content and enabling replies without unlocking the device.

This configuration presents a privacy loophole. For instance, Siri can show contact suggestions based on user prompts, which an attacker could use to communicate with a contact list. If a malicious actor gains physical access to a misplaced or stolen iPhone, they could exploit Siri to send misleading messages or initiate potentially harmful interactions with known contacts.

With Siri accessible from the lock screen, attackers can target victims with social engineering schemes. Lambros illustrates a hypothetical scenario: if a thief has access to a lost iPhone, they could activate Siri and instruct it to message someone listed as “Mom” or “Dad.”

The attacker could then pose as the phone owner, fabricating an urgent request for financial assistance, knowing that the trusted contact might respond favorably. Since iOS shows message previews by default, the attacker could even view and respond to replies from the lock screen, making the deception more credible.

siri-message-1.jpg


Editing a message initiated by Siri: Pen Test Partners

Recommended protection steps​

To mitigate these risks, security experts suggest iPhone users change specific settings. Apple’s “Find My” feature, available on all iOS devices, enables users to locate and remotely wipe their devices, a crucial tool in case of theft or loss. However, by adjusting certain privacy settings, users can further secure their locked iPhones from unauthorized access.

Here are recommended adjustments:

  • Disable Siri on the Lock Screen: Go to Settings > Siri & Search and turn off “Allow Siri When Locked” to prevent unauthorized access to calls, messages, or contact lists.
  • Update Emergency Contact Information: If you lose your phone, setting up emergency contacts can ensure they are notified via the emergency call screen, adding a layer of safety without relying on Siri. Path: Settings → Emergency SOS → Set Up Emergency Contacts in Health.
  • Enable “Find My” for Tracking and Remote Wiping: Apple’s “Find My” app allows users to track their lost or stolen devices and remotely erase data if recovery isn’t possible.
  • Take Regular Encrypted Backups: Regular backups (preferably encrypted) allow users to restore important data on a new device should they lose their iPhone. This can be done through iCloud or iTunes.
  • Adjust Message Preview Settings: By navigating to Settings > Notifications > Show Previews and selecting either “When Unlocked” or “Never,” users can prevent message content from being displayed on the lock screen, keeping sensitive information from prying eyes.
While iPhones have advanced security features, the default settings might inadvertently open up access to critical functions on a locked device. By making a few adjustments to disable Siri access on the lock screen and limit message previews, users can protect themselves against potential misuse in case of loss or theft.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top