Here’s an easy thing you can do right now to improve your digital security hygiene. Pull out your iPhone, open Settings, go into the Siri settings, and turn off Access When Locked. That’s it! Do it on your iPad while you’re at it. Go ahead and do it for your family and friends, too, at holiday functions when you need to deflect personal questions. Everybody wins!
In the battle of the smart assistants, every tech giant hopes to hook you on its voice-activated helper. That means putting the features front and center in as many products as possible. For its part, Apple offers Siri access from your iPhone’s lock screen, so you can seamlessly hear the weather or make a call without needing to unlock your device. But while Siri and other smart assistants are generally secure, all this integration inevitably leads to bugs from time to time. On a smart speaker, that’s usually not a huge deal. On a smartphone, Siri bugs have made its lock screen presence a periodic risk.
The trouble stems from Siri’s ability to control several aspects of your smartphone. It needs that access to effectively help you navigate your iPhone by voice, but new versions of iOS often miss controls on that access. These bugs could let someone who doesn’t have your passcode—or fingerprint or face—manipulate Siri to access some of your personal data, or even unlock your phone, without authorization.
“It might be worth considering turning it off for folks who do not need it much in the lock screen,” says Will Strafach, an iOS security researcher and the president of Sudo Security Group. “Especially since Touch ID and Face ID make it so easy now to unlock fast.”
“My personal choice is to disable both Siri and Control Center there.”
Will Strafach, Sudo Security Group
In one recent example, hawk-eyed researcher Jose Rodriguez, who has uncovered numerous lock screen bypass bugs since he started looking in 2013, found a new lock screen bug mere hours after Apple released iOS 12. The flaw let anyone access a device’s full contacts list without needing to first unlock the phone. When using Siri to create a conference call, iOS requires authorization to go through contacts and add an additional caller. But when Apple added group FaceTime calls, the company forgot to limit on who could scroll through contacts while adding a line.
Apple did not return requests for comment about fixing the iOS 12 FaceTime bug, or the potential security benefits of disabling Siri on your lock screen. In the general, though, the company fixes lock screen bypass flaws after they come to light in subsequent iOS updates.
In addition to Siri, lock screen bypass bugs can also involve accessibility voice commands and iOS’s Control Center. Essentially, any feature that accepts inputs while a device is locked represents a potential point of failure. “People may like Siri on the lock screen, but my personal choice is to disable both Siri and Control Center there,” Strafach says.
The same concept applies on Android, though it shows up in more varied ways thanks to that platform’s fragmented landscape. For iOS, though, the protection is straightforward. Just turn off lock screen Siri.
Lock screen bypass flaws aren’t the most pressing digital security concern for the average iOS user, because they generally involve physical access to a target device. But they’re also usually easy to replicate—meaning people are more likely to be able to exploit them in practice. Given the minor inconvenience of turning lock screen Siri off, why take the risk?