Default iOS Settings Make Locked iPhones Vulnerable to Attacks

Despite common assumptions about the security of locked iPhones, default settings in iOS can expose users to serious privacy and security risks.

Security researcher Lambros revealed via Pen Test Partners how default configurations on locked iPhones allow access to features like Siri, message previews, and contact details, which can be misused by anyone who finds or steals the device. His findings underscore the importance of tweaking these settings for better protection.

iPhone risky by default

Out of the box, iPhones are configured to allow Siri access on the lock screen through the “Hey Siri” command or by pressing the side button. This setting means anyone can potentially use Siri to make calls, send messages, or create calendar entries — even if the phone is locked. Further, iOS displays message previews on the lock screen by default, showing incoming message content and enabling replies without unlocking the device.

This configuration presents a privacy loophole. For instance, Siri can show contact suggestions based on user prompts, which an attacker could use to communicate with a contact list. If a malicious actor gains physical access to a misplaced or stolen iPhone, they could exploit Siri to send misleading messages or initiate potentially harmful interactions with known contacts.

With Siri accessible from the lock screen, attackers can target victims with social engineering schemes. Lambros illustrates a hypothetical scenario: if a thief has access to a lost iPhone, they could activate Siri and instruct it to message someone listed as “Mom” or “Dad.”

The attacker could then pose as the phone owner, fabricating an urgent request for financial assistance, knowing that the trusted contact might respond favorably. Since iOS shows message previews by default, the attacker could even view and respond to replies from the lock screen, making the deception more credible.

Recommended protection steps

To mitigate these risks, security experts suggest iPhone users change specific settings. Apple’s “Find My” feature, available on all iOS devices, enables users to locate and remotely wipe their devices, a crucial tool in case of theft or loss. However, by adjusting certain privacy settings, users can further secure their locked iPhones from unauthorized access.

Here are recommended adjustments:

• Disable Siri on the Lock Screen: Go to Settings > Siri & Search and turn off “Allow Siri When Locked” to prevent unauthorized access to calls, messages, or contact lists.
• Update Emergency Contact Information: If you lose your phone, setting up emergency contacts can ensure they are notified via the emergency call screen, adding a layer of safety without relying on Siri. Path: Settings → Emergency SOS → Set Up Emergency Contacts in Health.
• Enable “Find My” for Tracking and Remote Wiping: Apple’s “Find My” app allows users to track their lost or stolen devices and remotely erase data if recovery isn’t possible.
• Take Regular Encrypted Backups: Regular backups (preferably encrypted) allow users to restore important data on a new device should they lose their iPhone. This can be done through iCloud or iTunes.
• Adjust Message Preview Settings: By navigating to Settings > Notifications > Show Previews and selecting either “When Unlocked” or “Never,” users can prevent message content from being displayed on the lock screen, keeping sensitive information from prying eyes.

While iPhones have advanced security features, the default settings might inadvertently open up access to critical functions on a locked device. By making a few adjustments to disable Siri access on the lock screen and limit message previews, users can protect themselves against potential misuse in case of loss or theft.