A new video has sprung up on YouTube that shows how someone can bypass an iPhone 5s' security lock without the need to swipe the Touch ID sensor or input the 4-digit passcode locking the device. The video shows a user accessing the contacts saved inside the iPhone 5s (Review | Pictures), using voice-commands via Siri.
It has been also said that other iOS devices running iOS 7.1.1 lock screen are vulnerable to the reported exploit, which lets users bypass the passcode to access the contacts and even edit, copy and share them with others. It's not clear if other iOS versions are vulnerable to this bug.
The video by Sherif Hashim at first shows Siri rightfully asking for passcode when asked for 'Contacts' on a locked iPhone 5s. However, when given the voice-command 'Call', Siri straight away asks the user whom to call, giving access to on-screen keyboard via which one can search contacts and get access to the full phonebook list by tapping on 'Others' option.
NDTV Gadgets independently verified the exploit on an iPhone 4S running iOS 7.1.1. To bypass the lock screen, we had to issue a specific Call voice-command to Siri that also included a first name or last name of a contact that was featured in the iPhone's address book more than once - this can be trivial, with common names easily guessable. Once the voice command is given, a list of contacts matching the spoken name appear, along with the Call Other option, which gives other possible matches. If users select the Call Other option, they get access to the entire contacts database on the phone. Any of these contacts can be directly called from the lock screen.
Hashim's video however gives a simple solution at the end advising users to keep their 'Siri' voice-assistant switched off. Apple is yet to comment on the matter, but we assume the vulnerability will be patched out in an upcoming iOS update, possibly iOS 7.1.2.