When Apple first unveiled iOS 9 this summer, one of its biggest selling points was a new, smarter Siri. Under the new OS, Siri is integrated deeper, pulling more data from more sources and making many recommendations before you've even asked for them. But this week, security researchers discovered a downside to Siri's new intelligence. iOS 9 lets users access Siri from the lock screen, and if you work that access right, you can use it as a way to add contacts or even access the camera roll.
It's a tricky attack, unlikely to be deployed widely, but some are already speculating that it could be used by police to inspect a suspect's phone without having to bother with the code. Fixing the bug is simple: you can disable Siri's lock screen access in the "Touch ID & Passcode" section of Settings. But most users won't bother to change the default, if they know about the vulnerability at all. With that one tweak, the iPhone's lock screen protections get a little weaker.
Even worse, this isn’t the first time Apple has faced lock screen problems. Similar bugs popped up in iOS 5 and iOS 7 — although in each case, subsequent updates fixed the problem.
Given the choice between security and convenience, Apple will choose convenience
It's not the only example security backsliding. As David Longenecker points out, iOS 9 is also promiscuous when it comes to desktop tethering. As in iOS 8, an unlocked iPhone can now tether to a computer with just a single click — no password necessary — allowing the computer to copy emails, photos, and texts whenever it’s connected, even when it's locked. Longenecker had hoped the issue would be fixed in iOS 9, but it now appears to be the iPhone status quo.
Neither of these attacks is particularly scary (they're certainly nothing compared to Stagefright or Android's persistent patching issues), but they suggest an old dynamic that many thought Apple had put behind it. Given the choice between security and convenience, Apple will choose convenience. That tendency has hurt the company before, most notably in the Celebgate leaks, which used social engineering to exploit an overly pliant iCloud customer service system. And judging by the latest nudges in iOS 9, it's alive and well.
An iPod touch with FaceTime + iMessage is probably the most secure device (with the best cover), you can get for less than €600— the grugq (@thegrugq) January 28, 2015
That trade-off is particularly important given iOS's reputation for security. As Tim Cook talks up the company's encryption standards, security pros are increasingly agreeing with him. And even with the latest nudges, they're right. Unless you've got a Tails laptop at home, the iPhone is still the most secure device you own. But these latest tweaks suggest Apple isn't always interested in keeping it that way.
9/28 8:58AM: Updated to clarify that the tethering issue originated in iOS 8.