October 20, 2011, 4:25 PM — Siri, the virtual assistant built into the Apple's iPhone 4S, has a security problem: By default, anyone can use Siri to send e-mails or text messages from a locked phone, without having to enter a passcode first.
Macworld contributor Scott McNulty discovered the exploit last week. In addition to sending texts or e-mails, Siri can also schedule calendar appointments from the lock screen, passcode-free. To prevent any use of Siri while the phone is locked, users must turn off Siri access under Settings > General > Passcode lock.
Apple messed up by making Siri available from the lock screen by default. Although the issue is fixable, users who don't follow tech blogs and haven't played around much with voice commands may not even realize what Siri can do from a password-protected screen. The default setting should prevent any use of Siri while the phone is locked.
But whether Siri is available or unavailable from the lock screen by default, requiring a passcode to access the virtual assistant introduces a dilemma.
The point of making Siri available on the lock screen is to allow fast, eyes-off access to useful features. Say you're driving, or walking down the street, and want to fire off a quick message without taking your eyes off the road. Being able to access Siri without fumbling to enter a passcode--or even without taking the phone out of your pocket when connected to a Bluetooth headset or car speaker--would really come in handy.
A Passcode Shares The Blame
That's why the passcode itself shares some of the blame here. For Siri to be both secure and useful when locked, we need new ways to access the phone. The face recognition in Android Ice Cream Sandwich is a good idea. So is the thumbprint reader on Motorola's Atrix. In Apple's case, voice identification would be the best solution. It would allow the phone's main user to access any of Siri's voice commands even when the phone is locked, while requiring a passcode or some other fallback from other users.
In the meantime, I hope Apple changes the iPhone 4S's default settings to keep Siri locked behind a passcode.