Attackers can access information from locked iPhones by using Siri, the YouTube channel iDeviceHelp found.

Through the exploit, a user’s private information from their iPhones, including contacts, photos and message logs, can be compromised, according to Apple Insider.

How It’s Done

In order to get into an iPhone that does not belong to them, attackers must first ask Siri “Who am I?” iDeviceHelp explains in a video. Then Siri responds by giving the name and contact information of the phone’s owner. Next, an attacker can use another iPhone to call the locked device and begin to send a custom message. After doing that, attackers order Siri to turn on voice over.  

Assailants must then quickly double-tap the contact section of the message and hold the second tap on the bar, while clicking on the keyboard. If done properly, the attacker can then type in a letter and see the contacts in the phone. Assailants can get more information on the contact by tapping the info button, even though the device is locked. By tapping the “add photo” button, attackers can access photos in the iPhone.

Attackers can use that process on any phone going back to iOS 8.0, including iPads, the YouTube channel EverythingApplePro found. However, Apple Insider tested out the attack and said it could be done on the iPhone SE, iPhone 6 Plus, and iPhone 6S Plus, but could not do it on the iPhone 7 or 7 Plus. Apple Insider said it was probably because of “slightly different keyboard invocation times.”

How to Protect Your Device

In order for iPhone owners to protect sensitive information in their phones, they should disable Siri’s “Access on Lock Screen” in settings and use all security features on the phone.

The testers have informed Apple about the flaw, Apple Insider says.