The voice-activated feature on the new iPhone 4S will let anyone use the phone to send e-mails and text messages and make calls even if it is passcode locked, security firm Sophos revealed today and CNET has confirmed.
Try it. Grab a friend's locked iPhone 4S, press the button and ask Siri to do something. I was able to send a text message, make a call and send an e-mail, all without knowing my friend's passcode. Another colleague confirmed that she could get an address and a phone number out of the phone and even see the calendar.
To be clear, the phone is still locked in the sense that someone can't just grab it and make calls to any phone number by dialing. And users are also unable to launch apps. We also weren't able to send an e-mail to an address that was not in the contact list or find other data for people who weren't already in the contact list.
To some this might seem like old news. Similar capabilities were available by default with the Voice Control feature, which was introduced with the iPhone 3GS in 2009. But it appears on first glance that Siri allows you to do more with a locked iPhone than Voice Control does.
In my limited sampling, iPhone 4S owners seem to be shocked to learn about this default Siri setting, so chances are that many people didn't know about the Voice Control default setting either.
Thankfully, there is an easy fix for this. In the Passcode Lock settings, switch Siri to "Off" (see below). This lets you continue to use the feature once your iPhone is unlocked, but keeps users from accessing these features when security is enabled.
It's pretty surprising that Apple has the default set to be able to use Siri without unlocking the device.
"What's disappointing to me though is that Apple had a clear choice here," Sophos' Graham Cluley writes in a blog post. "They could have chosen to implement Siri securely, but instead they decided to default to a mode which is more about impressing your buddies than securing your calendar and email system."
Apple representatives did not immediately respond to e-mails and a phone call seeking comment.
(CNET's Sharon Vaknin and Josh Lowensohn contributed to this report.)