“Hey Siri, how could you?”
Every Apple phone since the iPhone 6s can be woken up by someone saying, “Hey Siri,” and then asking it to do something. This is useful if your phone isn’t in your hands and you want to send a text, or maybe turn on a smart light. But it’s also possible to use this function on phones that aren’t your own.
Any phone that can be woken up by “Hey Siri” can be used to send a message or a make a call from that phone, with the recipient thinking it’s come from the phone’s owner. Theoretically, anyone who finds an iPhone could ask it to call the last number dialed, or even just say a random person’s name to text—even when the phone is locked. For example, saying “text Dave” to Siri on my phone automatically brings up my colleague Dave Gershgorn.
It’s not a stretch to see how law enforcement could use this loophole in Siri to figure out if someone knows someone else, simply by asking that person’s phone to call them and seeing if they are in their contacts. Apple was also the company that stood up to the US Federal Bureau of Investigation in 2016 when it asked the company to help it bypass the lock screen on the San Bernardino shooter’s iPhone. Apple declined, citing user privacy. It’s since gone on to make privacy a major part of its iPhone advertising.
This security loophole exists because someone can pick up a phone, hold down the button that triggers Siri, and ask it anything. And although when “Hey Siri” is set up on a device, the phone tries to learn how the user speaks, Siri can struggle to distinguish between voices. If your voice is similar to someone else’s, you could theoretically access their phone without even touching it.
There are other voice assistants on the market that support multiple users—such as Google Assistant and Amazon’s Alexa—which can learn to discern one person’s voice from another. Apple’s Siri does not yet have this feature, although it is reportedly in the works.
Apple wasn’t immediately available to comment on when or whether it plans to make voice commands on locked iPhones more secure.
How to turn off “Hey Siri”
If you’re concerned about people sending messages without your consent, it’s pretty easy to turn off the “Hey Siri” feature:
- Go to Settings
- Scroll down and tap on “Siri & Search”
- You can either turn off the toggle that says “Listen for ‘Hey Siri'” or the one that says “Allow Siri When Locked”—the latter will leave “Hey Siri” on, but only when you’ve authenticated and unlocked your phone
This post has been updated to reflect that not every person will be able to unlock another iPhone with “Hey Siri,” unless they have a similar voice to the phone’s owner.