iPhone 4S security hole uncovered

01:50, Oct 19 2011

The executive love affair with the iPhone and the iPad may be dealt a bucket of cold water if Apple does not address a security loophole introduced by the new personal assistant application Siri.

An IT manager for a large Australian corporation with 1000 users, responsible for a fleet of 200 smartphones and BYO devices has pinpointed what he says is a shortcoming that will prevent his company from allowing the new iPhone 4S and eventually iPads with Siri onto its network.

He says the introduction of Siri - a handy personal assistant capable of scheduling meetings, sending emails and addressing most questions thrown at it via voice command - makes it impossible to enforce the use of a passcode on iPhones.

Siri has fascinated consumers since its introduction on October 5. In business it could come in handy for overly busy executives who multitask and seldom have the luxury of a human personal assistant.

But because of Siri, companies concerned about the security of data such as global contact lists and confidential emails, are no longer able to force users to lock their phones. Users can turn off the passcode lock if they wish.

"When we activate an iPhone on our network, we can make the use of the phone passcode compulsory, so if the phone is lost or left lying around our company information is secure. We also can 'grey out' the option for the end user to turn off the passcode through the Apple-supplied [Microsoft] Exchange interface.


"But there is no option to disable the Siri controls. It effectively bypasses the phone passcode - anyone can activate Siri and access the phone book and email," Steve McDonnell says.

Other users have pointed out the "voice control" feature on older iPhones also allowed the lock screen to be bypassed, but McDonnell says this is worse because there is no option to disable Siri as a policy.

"There is the option in the settings to disable Siri at the lock screen, however, as an enterprise we are not able to leave that option available to the end user as it compromises our security policies."

McDonnell said he spoke to an Apple representative in the US and was told it is an option that is not available at this time.

"Apple has now put out a message to say Siri is in beta, like it's not all finished, but we're not trying to use it. We are trying not to use it.

"It's an amazing piece of software but as a company we can't allow the users the option to turn off security. I'm sure Apple will fix it, but it needs to be fixed sooner rather than later."

McDonell told Fairfax and users of a Mac online forum iPhone 4S will "continue to be banned on our network, but I think the general population should be informed that there is a risk to corporations".

Yes, you can get stuff you should be able to get to. But you can't download the address book. If you can tell Siri, "send me the contents of this address book, that will be a problem".

A McAfee spokesperson confirmed the iPhone 4S did not have the ability to force corporate users to use a passcode on the phone. Anna Stepanov, group product manager enterprise mobile with McAfee in the US, said it may be possible however to use a third party product to override the controls and manage such a policy. The company is currently investigating the new features of the iPhone 4S.

Apple has been contacted for comment but has not yet responded.

The Age