The potential for Siri-based data disclosures was cited at a Helsinki press conference, in which F-Secure’s vice president, Maria Bordgren, said that Apple’s lack of known corporate security policies leave enterprises vulnerable. Siri queries and other information are stored as text in Apple’s data centers.
An attacker that accesses that data could learn enough from an employees’ smartphone usage and contacts to launch a sophisticated phish scam or steal data outright.
“Four out of 10 users don’t worry about corporate data and don’t think it will leak,” Bordgren said, according to the technology site V3.co.uk. “Take Siri, it’s cute right, I like it but if you ask it a question, the data is not stored on the iPhone – it goes to a data center in Oregon. If anyone was interested in that information you’re screwed.”
Bordgren’s warning comes just days after Apple announced a more powerful version of Siri would be available in both the iPhone and the iPad, a mobile device popular with businesses.
In addition to query processing, Siri uploads personal data such as a user’s name, nickname, preferred language and relationships to contacts in order to help understand the iPhone 4S user and better answer queries. Apple has been reticent on how that data is stored or secured.
Last month IBM, which in 2010 loosened restrictions on employee mobile phone use, extended its device management program to ban the use of Siri. It also has forbidden work-related use of public file-transfer services such as iCloud and Dropbox and automatic forwarding of IBM e-mail to public Web-based mail services. IBM workers also cannot use their smartphones to create open Wi-Fi hotspots.
“IBM have already denied the use of Siri as there is no way of knowing what information is going out about your company,” F-Secure’s Bordgren said.