Siri IS a security risk in an Enterprise environment

[stemcdon]

To prohibit users from having access to Siri even from the lock screen is to enable the passcode and then turn off the Siri option. This can be found under settings --> general --> password lock --> Siri --> off. This changes the setting to "do not allow access to Siri when locked with a passcode". Unless I'm not understanding what you are trying to do and indicate is at risk. Maybe this feature is not available for enterprise permission yet. Otherwise maybe this is the setting you need.

From My original post

I have posted this on other forums - but get a barrage of -
"But you can turn it off responses"

Hoping the average IQ here is a little higher and can understand the issue


......There is the option in the settings to disable siri at the lock screen, however as an enterprise we are not able to leave that option available to the end user as it compromises our security policies. What we really need is to be able to disable and "Grey Out" that option - just like we can do with the the passcode setting......
.

 

[stemcdon]

I've actually just had a bit of interesting information from another site

"there is an open ticket about this in Apple's bug report system. Has been since the 4S release.
The response from Apple was that the option to do this is coming in a new version of the iPCU (supposing that you being an enterprise user would actually be using iPCU) and care was taken in their response to highlight that Siri is beta software and should not be relied upon in the workplace. "


Whilst I appreciate that Siri is a piece of Beta Software - the IPCU (iPhone Configuration Utility) isnt.

We arent trying to use siri in an unsuitable envirnment - we are trying to NOT use it!

 

[C DM]

Wirelessly posted (Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3)

Couldn't you set up the parental controls and turn Siri off that way.

good suggestion, but from what I see (I may be wrong only just had a quick look) the parental controls use the same pin code as to unlock the phone.

Obviousley the end user needs to have the passcode to be able to use the phone.

This should actually work--I'm fairly certain that restrictions require a different security code to be set up which can differ from the phone lock code.

 

[PNutts]

I can't believe that iPhone configuration utility doesn't allow Siri to be greyed out. Albeit I do not have a 4s to test it on.

The iPhone Configuration Utility allows you to globally disable/enable Siri (only).

 

[Qramohn]

So Siri(beta) is a security problem? Then give iPhone 4 to the employees until Siri's security issues are fixed. Don't make it harder than it has to be.

 

[BlaqkAudio]

Wirelessly posted (Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3)



This should actually work--I'm fairly certain that restrictions require a different security code to be set up which can differ from the phone lock code.

I can confirm this. If I try to enable restrictions, it asks me to create a separate restrictions passcode.

 

[stemcdon]

So Siri(beta) is a security problem? Then give iPhone 4 to the employees until Siri's security issues are fixed. Don't make it harder than it has to be.

you want us to roll out iphone 4 and then rollout 4s when the issue is fixed ?

were talking a LOT of phones here

 

[marksman]

I completely understand the issue here... 100%... And I don't take exception to it.

That being said.. in the interim, it seems reasonableness would dictate that all phones would be configured / set up by your department and this option would be turned off.

If someone then went and disabled the feature on their phone to allow it to be hacked if they lost it, well they would lose their job. I understand that having someone one email the CEO would be bad, but it would not be the end of the world, and regardless of what happened the employee would deserved to be fired anyways.

It always bothers me that we end up treating adults like children to such a degree we can only expect them to act like children. It is a vicious circle that can get a bit over the top.

In the meantime if someone chooses to use a ip4S with your systems have them sign a waiver/declaration to make sure they keep that feature off until you have the appropriate controls. I doubt your ceo's email address is some kind of secret that anybody who actually wanted to find out could not find out.

So weighing the actual risk versus the situation it does seem like a a manageable problem. In practice just having someone and their boss sign a form stipulating changing that feature in any way would lead to termination.... I know in reality by the time any search initiative took place and before anyone else gave the IT department any control over firing people it would be 3 years from now and it won't happen... But I am just saying ... in a more perfect world...


"Siri, Text CEO Suck It Greed Daddy!"

 

[stemcdon]

I completely understand the issue here... 100%... And I don't take exception to it.

That being said.. in the interim, it seems reasonableness would dictate that all phones would be configured / set up by your department and this option would be turned off.

If someone then went and disabled the feature on their phone to allow it to be hacked if they lost it, well they would lose their job. I understand that having someone one email the CEO would be bad, but it would not be the end of the world, and regardless of what happened the employee would deserved to be fired anyways.

It always bothers me that we end up treating adults like children to such a degree we can only expect them to act like children. It is a vicious circle that can get a bit over the top.

In the meantime if someone chooses to use a ip4S with your systems have them sign a waiver/declaration to make sure they keep that feature off until you have the appropriate controls. I doubt your ceo's email address is some kind of secret that anybody who actually wanted to find out could not find out.

So weighing the actual risk versus the situation it does seem like a a manageable problem. In practice just having someone and their boss sign a form stipulating changing that feature in any way would lead to termination.... I know in reality by the time any search initiative took place and before anyone else gave the IT department any control over firing people it would be 3 years from now and it won't happen... But I am just saying ... in a more perfect world...


"Siri, Text CEO Suck It Greed Daddy!"

Unfortunately we don’t live in a perfect world and we all have to be audited for security policies and compliance (SOX as an example). Relying on your suggestion in any legal case would be ludicrous.

People (across all organisations) are sacked on a daily basis for sending inappropriate emails. Handing them an excuse to use in such an instance would be plain stupid


Really if people don't understand enterprise legal and security issues they should refrain from making comments as it's a little embarassing

 

[stemcdon]

Wirelessly posted (Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3)



This should actually work--I'm fairly certain that restrictions require a different security code to be set up which can differ from the phone lock code.

On an individual basis it does look like this would work.
But to have to indivually "Touch" each phone......

 

[miles01110]

This entire thread is a nonstarter. Your problem is not Siri - it is trying to integrate Apple products into your corporate network in the first place.

 

[Hammie]

Wrong thread.

How so?

Is this thread not about a security risk of the iPhone on a corporate environment? Are these not other risks that should also be made aware of if people don't know them?

It was just a question asking if they are still concerns...

 

[sectime]

you want us to roll out iphone 4 and then rollout 4s when the issue is fixed ?

were talking a LOT of phones here

Other than bragging rights what makes the 4S a compelling choice over the 4 ?

 

[wickoo]

So... let's hope the next iPhone lost in a bar will have Siri turned on before being wiped out

 

[mkrishnan]

This entire thread is a nonstarter. Your problem is not Siri - it is trying to integrate Apple products into your corporate network in the first place.

...which has been an ongoing issue. Apple has made big strides towards the needs of corporate IT users, but Apple is walking there from the other direction, unlike, say, RIM (who have many other problems), which designed itself around corporate IT and makes slow strides in the direction of the end user occasionally.

The logic doesn't really hang. Even if Siri is "beta" software (which would be absurd if the idea of what beta software had not lost all meaning... Apple is advertising the 4S based on Siri, and Siri is clearly its most noteworthy feature), the 4S itself is not "beta" hardware. Much as Apple won't let a corporate user run Leopard on a new Mac because they're still on Leopard on their network, they won't let the 4S run iOS 4. If Siri is beta software, all the more reason it needs an option to be easily disabled for corporate use.

 

[bighabeeb]

To prohibit users from having access to Siri even from the lock screen is to enable the passcode and then turn off the Siri option. This can be found under settings --> general --> password lock --> Siri --> off. This changes the setting to "do not allow access to Siri when locked with a passcode". Unless I'm not understanding what you are trying to do and indicate is at risk. Maybe this feature is not available for enterprise permission yet. Otherwise maybe this is the setting you need.

You're definitely not understanding

Corporations use a third party to manage profiles on iOS devices (my company, for example, uses a hardware/software combination from mobile iron). Using that console, an administrator can manage a number of things - enforcing encryption, lock passcodes and their complexity etc. Further, they can disallow users to disable those things (for example, on my iphone I cannot turn off the passcode feature).

What he's saying is that the above is the ONLY way to disable siri from the lock-screen. This means that you are putting the onus of security on your users, which is never a good thing (before we had enhanced policies, half our people had passwords for their PCs that were super safe...like Mike1234 or something similar). Basically instead of letting an administrator TELL you "Here's the security policy, deal with it", you're making an administrator tell you "Here's the security policy, please comply". Never a good thing.

I've forwarded this thread onto our MI admins since they may find it beneficial.

----------

Other than bragging rights what makes the 4S a compelling choice over the 4 ?

Umm, the fact that its a better device?

Seriously, why would you buy last year's top of the line, if this year's top of the line is available? Thats just ridiculous. As it is technology moves way too fast to keep up with: if you're going to start off buying year old stuff you're starting OUT behind the curve.

 

[C DM]

Wirelessly posted (Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3)

Wirelessly posted (Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3)



This should actually work--I'm fairly certain that restrictions require a different security code to be set up which can differ from the phone lock code.

On an individual basis it does look like this would work.
But to have to indivually "Touch" each phone......

Couldn't something like that also be configured similarly to how the phone lock code is set up on a batch of phones at the same time?

 

[zorinlynx]

I wonder if you realize that if a user wants to compromise security, they can do so anyway?

They can hand their unlocked phone to a friend who's phone battery died and needs to make a call.

They can jailbreak their phone and remove the corporate restrictions while the corporate servers still think the phone is locked down.

They can accidentally send a text with company data to the wrong person.

Isn't it better to just have a clearly written policy on how the user must manage the device (disable Siri at lock screen, don't let others use your phone, don't jailbreak) and if a user violates the policies, discipline them within the company like anyone else violating company policy?

It's silly to ban a device just because it CAN BE USED to violate company policy. A leg from a table can be used to violate company policy too as its "user" smashes everything in sight with it. Should we ban tables too?

Have a little more faith in the intelligence of those you employ.

 

[alucinari]

I wonder if you realize that if a user wants to compromise security, they can do so anyway?

They can hand their unlocked phone to a friend who's phone battery died and needs to make a call.

They can jailbreak their phone and remove the corporate restrictions while the corporate servers still think the phone is locked down.

They can accidentally send a text with company data to the wrong person.

Isn't it better to just have a clearly written policy on how the user must manage the device (disable Siri at lock screen, don't let others use your phone, don't jailbreak) and if a user violates the policies, discipline them within the company like anyone else violating company policy?

It's silly to ban a device just because it CAN BE USED to violate company policy. A leg from a table can be used to violate company policy too as its "user" smashes everything in sight with it. Should we ban tables too?

Have a little more faith in the intelligence of those you employ.

Spend a month working in IT security and then come back and tell us if you still feel the same way.

 

[nebo1ss]

I have not been in the corporate world for about four years but most users on here will not understand the requirements particularly in the financial services industry. When I was involved in this area, the only device we allowed was Blackberry who provide very sophisticated central management tools.

There are specific requirements in terms of managing user devices and recordingl emails sent and received as well as not allowing changes to be made by the user. This has nothing to do with the IT person being difficult but policy requirement dictated by the legal department.

Of course users could always get their own personal phones but they would not be connected to corporate email servers.

 

[PNutts]

So Siri(beta) is a security problem? Then give iPhone 4 to the employees until Siri's security issues are fixed. Don't make it harder than it has to be.

Our users are allowed to use their personal phones with our policies applied. When someone buys a 4S and wants to use it for business I wouldn't want to be the person to tell them to return it and get a 4S.

How so?

Is this thread not about a security risk of the iPhone on a corporate environment? Are these not other risks that should also be made aware of if people don't know them?

It was just a question asking if they are still concerns...

This is a thread about Siri bypassing security controls, not a general discussion regarding the iPhone's attack surface area. But... it's a community forum and the only control is people deciding to stay on topic or not. I appreciate that this thread hasn't devolved into 10 different conversations. If you have questions about exploits, I suggest a generic thread with that in the title to catch folks attention. Your comment above is a perfect title, "Security risks of iPhones in a corporate enviroment?" Just my US$.02. This thread will go in whatever direction everyone takes it.

 

[Geckotek]

I am not truly worried about the concerns you've listed....calling the CEO? Come on....anybody can do that. Contacting our customers? They can do that as well. And what makes it wrong here, because the caller ID says it came from someone in our organization? I can see that being somewhat of an issue, but only in the rarest of circumstances.

Don't get me wrong, I don't want them having access to our customer list, but that's low on my list of concerns.

I'm more concerned if they have actual access to our data. You're saying they can access e-mail? How exactly?

----------

We would indeed wipe remotley - once it was reported to us.....

It extracts the contacts from the global address list - it you knew the name of the company the phone bleonged to then you have direct access to the CEO. Also Saying email "John" helpfully lists all the available "johns" for you to select.

As an aside though - you could email the ceo and tell him what you think of him - then claim you were in the bathroom and someone must have sirihacked your phone lol (Thats a joke - but the HR issues alone are a nightmare

Have you tested this? Are you sure SIRI isn't just running against the local contacts on the phone? I doubt SIRI is checking against the GAL.

 

[donaldsmith]

As companies branch out from RIM's BlackBerry, which is designed from the ground up security companies, the report by security firm Symantec found that more consumer-oriented platforms exposes companies to risks unwanted.

 

[sectime]

You're definitely not understanding


I've forwarded this thread onto our MI admins since they may find it beneficial.

----------



Umm, the fact that its a better device?

Seriously, why would you buy last year's top of the line, if this year's top of the line is available? Thats just ridiculous. As it is technology moves way too fast to keep up with: if you're going to start off buying year old stuff you're starting OUT behind the curve.

Better how for a business environment?? Newer is not automatically better. Right tool for the job no more no less.

 

[bighabeeb]

I wonder if you realize that if a user wants to compromise security, they can do so anyway?

They can hand their unlocked phone to a friend who's phone battery died and needs to make a call.

They can jailbreak their phone and remove the corporate restrictions while the corporate servers still think the phone is locked down.

They can accidentally send a text with company data to the wrong person.

Isn't it better to just have a clearly written policy on how the user must manage the device (disable Siri at lock screen, don't let others use your phone, don't jailbreak) and if a user violates the policies, discipline them within the company like anyone else violating company policy?

It's silly to ban a device just because it CAN BE USED to violate company policy. A leg from a table can be used to violate company policy too as its "user" smashes everything in sight with it. Should we ban tables too?

Have a little more faith in the intelligence of those you employ.

This may be one of the dumbest things I've ever read. I quite honestly can't even list the number of things that I can identify as "Wrong" in such a brief statement.

Since there's no point in security, why have passwords on laptops at all? After all, they can just unlock the laptop and hand it to someone else right?

There's a reason that our management system also has the ability to detect and block jailbroken devices. Rules were made to be broken, unless you make them unbreakable.