In July 2024, Apple quietly patched a security vulnerability that could let someone use Siri to peek at sensitive info on a locked iPhone, iPad, or Apple Watch. If you have a device running iOS 17, iPadOS 17, or watchOS 10—and you haven’t updated to 17.6 or 10.6—your data might still be at risk. Known as CVE-2024-40813, here’s everything you need to know, broken down for everyone.
What Was CVE-2024-40813?
This bug allowed someone with physical access to your device to use Siri and potentially bypass certain lock screen protections. Basically, the underlying problem was improper state management: the device could get confused about what should stay locked and what Siri was allowed to access.
Maybe even other app data, depending on configurations
Note: The attacker had to physically possess your device—this isn’t a remote attack. But it means the threat is very real if you lose your phone, or someone grabs it when you’re not looking.
The Technical Problem (in Simple Terms)
The vulnerability was in how lock screen state was managed. When Siri was invoked, the system was supposed to double check: "Is this request allowed right now?" But the code managing this check could get tricked—or simply miss—the fact that the device was still locked, or that certain data wasn’t supposed to be available.
From Apple’s Advisory
> “A lock screen issue was addressed with improved state management. ... An attacker with physical access may be able to use Siri to access sensitive user data.”
See the official release note here.
Go to
Settings → General → Software Update
And install the recommended update.
Example: How an Attacker Might Exploit CVE-2024-40813
Let’s look at a (hypothetical) script simulating an attacker’s steps—for educational purposes only!
1. Pick up the locked iPhone.
2. Hold home/power button to activate Siri.
3. Ask:
- "Show my last text message"
- "Who did I call last?"
- "Read my last email"
4. Wait for Siri to respond with sensitive details.
Here’s what the (simplified) broken check might have looked like in code
// Pseudocode for state management bug
if siriRequest {
// Oops! Did not check if device is unlocked!
return sensitiveData
} else {
// Correct behavior
denyRequest()
}
With the Fix
if device.isLocked {
// Always deny when locked
denyRequest()
} else {
// OK to process
return sensitiveData
}
Update your Apple devices now to the latest version (see above).
2. Review your Siri settings: You can control what info Siri is allowed to access when your device is locked.
- Go to Settings > Face ID & Passcode (or Touch ID/Passcode)
References and Further Reading
- Apple Security Updates – July 2024
- CVE-2024-40813 record
- How to configure Siri access on lock screen
Final Thoughts
CVE-2024-40813 is another reminder that even minor bugs can have big privacy impacts. If you value your messages, contacts, and emails staying secret, update your Apple devices to iOS 17.6, iPadOS 17.6, or watchOS 10.6 today. And remember—if you don’t want Siri spilling secrets, tweak those lock screen preferences!
Have questions or want to learn more about mobile security? Leave a comment below.
---
*© 2024 – This post is original content for learning and awareness. Please share responsibly.*
Timeline
Published on: 07/29/2024 23:15:13 UTC
Last modified on: 08/15/2024 16:15:52 UTC