Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Siri security flaw on iPhone 6s & 6s Plus grants access to Contacts and Photos without passcode

Last updated

A newly discovered Siri search handling bug allows nefarious users to bypass passcode protected lock screens on iPhone 6s and 6s Plus handsets, granting easy access to Contacts and Photos data. The vulnerability is likely applicable only to a subset of devices, however.

Discovered by Jose Rodriguez, who found a similar lock screen flaw last September, the security hole appears effective only in certain scenarios. As presented in a proof-of-concept video, and confirmed by AppleInsider, the vulnerability applies to iPhone 6s and 6s Plus handsets configured to allow Siri app search integrations for Twitter, Contacts and Photos.

In the example provided, a user — or nefarious agent — invokes Siri via a long home button press, or iPhone's "Hey Siri" function, and asks the virtual assistant to conduct a Twitter search. If the search results contain actionable Contacts data, like an email address, a 3D Touch gesture can be used to call up a contextual menu with options to send mail and add or modify contact information.

From the 3D Touch Quick Actions menu, tapping on "Add to Existing Contact" opens an iPhone's Contacts list, which can then be used to access device Photos, if so configured.

Rodriguez told AppleInsider the 3D Touch loophole is also applicable to Siri results for WhatsApp friends list searches.

There are a few caveats to successfully leveraging the apparent security flaw. Specifically, a device owner must have previously granted Siri access to their Twitter account, photo library or related app either by conducting a Siri search themselves, or manually configuring service permissions in Settings. When a user first asks Siri to conduct a Twitter search, the assistant will seek permission to access that device's Twitter account, as indexed in device settings. In order to verify ownership, Siri requires account owner confirmation via passcode or Touch ID.

Those concerned about potential intrusions can disable Siri's Twitter integration by navigating to Settings > Twitter and switching off Siri. Doing the same in Settings > Privacy > Photos cuts Siri access to an iPhone's photo library. Alternatively, Siri itself can be completely disabled.

The workaround is active in Apple's latest iOS 9.3.1 update.