The lock screen in iOS has never been fully secure. Countless exploits have surfaced in the past that let anyone make calls or even access the camera roll if all that hides behind a passcode. One such exploit appears to be present in iOS 7.1.1 as well, the most up to date version of Apple’s mobile platform. By invoking Siri on the lock screen, which is a default setting, anyone who knows how to tap into this exploit can gain access to the entire contact list on that iOS device and then make a call, send a text or email.
The exploit has been discovered by Sherif Hashim, an Egyptian neurosurgeon who is well known as a part-time hacker. He has posted a video on YouTube showing it in action. Hashim first shows that the device is locked by trying to unlock it using Touch ID. Once that is established he goes about tricking Siri into giving up the contacts.
Its actually easy enough to get Siri to do this. Invoke Siri and give it a command like “Call,” “Email,” or “Text.” It would then ask whom you want to contact, simply type in a single letter and let Siri ask which contact do you really mean. There an “Other…” option will appear which when tapped brings out the entire contact list in the open.
From here any contact can be called, texted or emailed without requiring a password. The only fix available right now is to disable Siri on the lock screen, something which can be done through the settings app. It is unclear if Apple is working on a fix for this exploit or if it will simply leave it up for users to decide whether or not they want Siri on the lock screen with such a gaping exploit.