Siri Voice Command Bug Could Let Thieves Hide from Find My iPhone

The theft of smartphones is a large problem, especially with high-value items like iPhones. Whether a thief takes a phone to use or to resell, they’ll need to wipe the device first. Normally, the iPhone passcode and access control restrictions prevent that from happening. Meanwhile, a user can activate Find My iPhone to uncover its location or remotely wipe a device—a useful anti-theft mechanism, as it renders the phone useless to a thief intent on stealing your private information.

However, a freshly discovered bug in iOS versions 10.1 through 10.3 could allow a thief with a stolen iPhone to sever the phone’s connection to the Internet. He could do this by deactivating its mobile data connection — and without needing to know the user’s password. Demonstrated by a German security researcher, an attacker only needs to exploit a simple flaw in Siri.

If a user tries to request deactivation of mobile data via Siri, Siri will always respond that the user must first supply their passcode. However, if the user then begins asking simply for “Mobile Data” instead of an action related to this option, the exploit comes into play. After locking the phone and re-activating Siri, simply requesting “Mobile Data” again allows the user to access the toggle. At this point, a thief can turn it off. Now they no longer need to worry about the true owner remotely wiping the device, and they can continue to work on it as they please.

With a passcode on and the user control panel turned off, this is the only way for a thief to bypass the protections Apple has in place. However, that doesn’t diminish the potential for this exploit to be used by thieves. As this bug has only just been reported, Apple has yet to comment or issue any update to fix this. Stay tuned for updates on this exploit as it develops.