New iPhone lock screen flaw gives hackers full access to contact list data

New iPhone lock screen flaw gives hackers full access to contact list data

Summary: iPhone users are vulnerable to a lock-screen flaw that allows a hands-on hacker to gain full access to a user's contacts list.

TOPICS: Security, Apple, iPhone, iPad
(Image: ZDNet/CBS Interactive)

iPhone users may be vulnerable to a lock-screen flaw that allows a hacker to access contact list details on the device.

Read this

iOS 7 review: Apple's mobile mid-life crisis?

iOS 7 review: Apple's mobile mid-life crisis?

iOS 7 had an extreme makeover, beauty pageant style, in a vastly aesthetic and design-focused release. Here's more.

According to the Egyptian part-time hacker who discovered the flaw and recorded the steps on YouTube, Sherif Hashim, the vulnerability only exists when running iOS 7.1.1, the latest version of the mobile platform, and when Siri is available from the lock-screen.

The flaw exists when Siri is triggered on the lock-screen, and a user says, "Contacts." Although Siri will refuse to dish out any details, not before bringing up the password screen, a user is able to access the contacts list by pulling up on the screen, editing the request, and asking for a duplicated name. If you have more than one "John," for instance, you have the option to view all contacts from the "Other..." menu.

However, the hacker attempting to gain access to the device must be in its physical presence in order to perform the trick.

Manage the influx of Apple devices into your workplace with the expert advice in this Tech Pro Research download.

ZDNet tested this in our Louisville, KY office, and was eventually able to reproduce the bug after numerous attempts. Although you can try different names one by one, you also have the option to access the full contacts list.

The flaw, which is believed to work on all iPhone versions running Siri, doesn't just gain access to phone numbers, but any information that is available from a contact card.

Users are advised to switch off Siri from the Passcode options in the General settings of the device.

ZDNet reached out to Apple for comment, but did not hear back at the time of writing.

Topics: Security, Apple, iPhone, iPad

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • This is far from full access.

    You can get the list of names but can't get any details under the names. No addresses, emails, FB, Twitter. You can just call someone.

    Is this expected or per requirement? I don't know the design intent but it could very well be.
    • um

      reading the article answers your question.
      I know, I know...
      • Um... The article is in error.

        You don't gain access to the entire card.
    • Try This

      1. Lock the iPhone; bring up SIRI
      2. Tell SIRI: "Show Contacts"
      3. SIRI says that "I can't do that" or something like it.
      4. SIRI gives you a link that opens contacts.
      5. You can see all details.
      • Wow, it works.

        Considering it's my work phone......
        Thankfully I keep Siri caged.
      • Nope, you have it wrong.

        You can NOT open the contacts without a pass code and you can see NO details.

        You may not have your pass code set to be required immediatly.

        Again, this article has tons of factually incorrect information.
  • YouTube

    Nice that both you and the Egyptian Hacker post the YouTube video here for the world to see.
    • Ignorance is bliss, right?

    • Ha. Just dont lose your iPhone.

      Look, I owned an iPhone for three years. Great device. No major complaints. Was it less then perfect? Yes. I suffered a number of glitches at various times, one that actually looked up the entire phone for brief periods so I couldn't even shut it off by button. How do you like that one. That glitch went away. But it was actually an over all very good phone, it was an early version, the 3G, but for its time I thought it was pretty damn good. Ive had some good hands on time with both the iP4 and iP5 models and they come across as over all great devices as well.

      But nothings perfect. The spoken of contacts list flaw is hardly earth shattering. Firstly, its non existent if you don't lose your phone or put it into the hands of someone you shouldn't. Secondly its non existent if Siri is switched off Siri from the Passcode options. Thirdly, its likely not your largest worry if you do lose your phone, and if the person who finds it is pulling off this hack and is planning to make use of it by somehow calling your contacts or putting the list to work for them in some nefarious way, because if that's the case, unless there is something you really need to keep hidden in your contacts list, the much worse thing is that this hacker lout who found your phone and is hacking it is probably not intending on ever giving it back either, and for most that's an instant problem that could lead to bigger problems.

      This hack, fortunately, is like so many security issues over the last few years in that while on the one hand its a concern, its something your very unlikely to encounter. The few who might ever encounter this hack, while I feel badly for them, its no where near enough to start declaring iPhones as some kind of notable security risk.

      And again, that's pretty much the reality of pretty much every computing device that's reasonably well taken care of, along with some common sense online practices.

      If anyone starts jumping up and down and screaming this is some kind of an awful failure by Apple I couldn't disagree more. And I am no Apple apologist.

      This hack proves little. Other than iPhones are not perfect. Something I already knew because I owned one and am quite familiar with the product line.

      And I knew iPhones were not perfect long before the first iPhone ever hit the drawing board. And that's because I know nothing is perfect.

      Its because of that I know no matter how much I like my new WP8, it sure as hell isn't perfect either.

      For me, I read articles like this "just so I know". I gave up trying to think of them as evidence that my choice of hardware is so much more intelligent than others a long time ago. It dosnt work that way in reality.
      • Allow me to assist you:

        Respectfully allow me to make corrections to the following sentence:
        "…its something your very unlikely to encounter. The few who might ever encounter this hack, while I feel badly for them, its no where near enough to start declaring iPhones as some kind of notable security risk.…".

        Both its should be, it is or it's.
        No where should be, nowhere.
        Your in this sentence is incorrect, instead use, you are, or you're.
        "I feel badly…", is there something wrong with your sense of touch? It should read "I feel bad".

        Given those mistakes your comments are spot on. Thank you for sharing.

        • Ya thanks.

          But Im not going to change my post writing on ZDNet, at least not much. I work in a profession that requires not only sheer perfection in writing, it requires an ability to structure and minimize it in spectacular ways that still impart precisely the exact meaning of what I want to say in the shortest possible method on very complex issues.

          Perhaps unfortunately, I almost try to avoid any of the care Im required to write with at work when I post to ZDNet. And of course, Ive seen plenty worse here so many times Ive lost count. I know that's not an excuse or good reason for sloppy writing, but I don't care quite frankly.

          Far from nit picking about where someone should be using commas or not and cheapo street grammar and wording , with all my honesty, I do believe people who want to complain about the content of posts would do us a far better service to jump onto the numerous posters here who feel they have to frequently post pure nonsense and completely biased obtuse comments simply because they have taken up hating a particular company or product.

          Some days it gets difficult around here to find an even handed post from a reader who sounds like they have put a reasonable amount of unbiased thought into what they are saying.

          But I certainly thank you for you critique, its honest. But like I said, I don't post on ZDNet to practice my prose and perfect it. I simply try and do my best to keep my temper (which I don't always succeed at) and write commentary that isn't based on senseless bias or an overwhelming desire to bludgeon people who simply have different tastes then I do.

          Like I said; nothings perfect. Least of all me.
          • I understand your thinking.

            As I see it misspellings and incorrect word word usage are now an accepted practice. Sometimes it appears English is not the posters first language. Yet, years ago I had a secretary from a non-English speaking country. When she came to the USA she learned our language and took much pride in her grammar and spelling.

            When she proof read my reports then with humor put them on my desk saying some such "my English, spelling and grammar is better than yours redo some of this". She kept me on my toes and because of her my writing greatly improved. We would challenge each other, it was fun. Others in the office saw the pride we took in our writings they also took to the challenge. After a while it was very difficult finding errors in anyones reports, e-mails, and the like.

            Because one person, my secretary, had pride in her spelling and grammar we all became better writers.

            Here are a few others that are very often misused:
            Anxious when eager is the correct word.
            Loose for lose
            Losing not loosing—there is not a such a word in the English language
            Their, there, they’re
            You're, you are, your
            To, too, two
            Okay rather than OK—the abbreviation for the state of Oklahoma)
            Use Lectern not Podium (lectern we stand behind, podium we stand upon)
            Use ask not axe

            All the above are from grade school grammar yet we see those same mistakes in the newspaper, magazines, and hear them on TV and radio. To me we are accepting mediocrity.

            Good chatting with you

  • iPhone lock screen flaw?

    But Apple said they're perfect?
  • I thought Apple was flawless.

    I thought Apple was perfect. No need for anti virus or any of that pesky stuff.


    Can't wait to see the Fanboys try excusing this one.

    Rob Berman
    • Im no Apple fan boy.

      And I think its relatively forgivable.
    • but it's not a flaw

      It's a feature!
      It's the NSA backdoor that they can call your friends to let them know they have found your iphone even though they have you secretly locked up in their torture chamber.
  • A bonus feature for iPhone users

    This is so basic and simple! Way to spill your guts, Siri! DUH!!
  • Its an amusing way to pull contact phone numbers

    from a supposedly locked phone. But realistically what use is that to anyone?? If I have misappropriated an iPhone the last thing I'm going to do is use this trick so I can call the owners contacts and let them know I have their friends phone.....
    The Central Scrutinizer
  • Bypassing Password

    I use my iPhone as my alarm clock. Kind of neat because you can set several alarms with as long a snooze period as you want. I noted some time ago that I could set my alarm without logging in to my phone.
  • Seems like a feature not a flaw.

    It was very clear. You can pull up contacts by simply asking to call someone, be wrong about it and list the entire DB of names by selecting other. It seems that this could be a balance between security and hands free driving. It should be fixed. The error should be on the side of security over hands free driving. If Siri can't determine who you want to call then she should stop there and end the request. A workaround to lock down your phone is to not let Siri function while your phone is locked.