Friday, October 21, 2011

Doctor, is it Siri-ous?

Last week the web was full of reports of a "security hole" in Siri, Apple's new voice control mechanism for the iPhone. ZDNet went so far as to headline "Siri not so serious about security".

So what's the "security hole"? The default iPhone configuration is such that Siri is active even when the iPhone is locked with a passcode. This means that a person with access to your supposedly secure locked iPhone can, for example, send emails from your phone using Siri. It's not difficult to understand the kind of attacks that this would allow someone impersonating you, not to mention the prank potential.

But this is clearly not an unintended "security hole". Apple engineers had to choose between two evils: either allow Siri to work on a locked phone and thus expose the phone owner to the above security hazards or don't allow Siri to work on a locked phone and cripple the feature. Voice control software is most useful in situations when the user can't type (e.g. while driving) - and thus can't enter a passcode. Preventing access to Siri from a locked phone would make it much less useful.

The Apple engineers came up with a compromise between these two evils - to enable those features that would be most useful in a locked phone (e.g. sending messages) and disable those that would most expose the user to attacks (e.g. reading messages).

I imagine the team went through a list of Siri features and divided them into these two groups. For features that belong to one group and not the other (i.e. features that are very useful in a locked phone and don't represent a significant security hazard or vice-versa) their decision was an easy one. The difficult decision was regarding features that are both very useful and represent a security risk.

Apple's decision seems to have been to favor functionality over security. Sending messages is obviously very useful, but it does represent a significant risk - and Apple allowed it.

Such conflicts between security and functionality are part of the life of a security engineer and can be very difficult to decide. The security engineer demands that the feature be removed. The developer cries that without this feature the product won't be able to compete. Such conflicts can be very charged and escalate to the highest management levels, even to the CEOs of large corporations.

The best resolution for such problems is to come up with a technical solution that enables the functionality without impairing security. Finding such technical solutions is one of the more interesting challenges a security engineer deals with. Some conflicts are very difficult, if not impossible, to resolve in such a way.

Jared Newman of PCWorld proposed such a technical solution for the Siri issue solution - use a passcode alternative such as voice recognition to identify the phone owner and unlock the phone. Implementing such a solution is easier said than done (how do you recognize someone with a cold?) but I do expect Apple to go this way in a not-too-distant future release of Siri.
Easier said?

1 comment:

  1. "Open Sesame"
    Another solution can be to speak a passward to unlock the device, of course it will only work if you are alone...