Somebody got too excited - this is a feature, not a flaw. Also, it's getting boring, these lock screen "hacks" that half the time are intentional behaviours. True hack would be accessing your phone remotely. If you at any point allow the "hacker" a physical access to your phone then you either shouldn't store all these TOP SECRET documents there, or change friends (because I assume most of these lock screen "hacks" are used for pranks - I can't imagine leaving my phone unattended outside my home)
If this is a feature it is a badly designed one because this could be a real problem if your phone is stolen and you don't notice for instance, they should have added a voice identification system or similar to balance convenience and security, at least on the first use to open a timed session, which is totally in their capabilities in my opinion.
This feature is only badly designed in that it's not communicated during the setup process that Siri will still work. This is a feature, it can be turned off, and is 100% intentional.
The security your propose doesn't provide enough security to be worth the effort. (Hello tape recorder!)
Swipe up on the locked phone to get to the control panel
Open the stopwatch app
Go over to alarm clock
Hold the power button until you get the "Power down" prompt
Hit the cancel button and immediately hit the home button twice, holding it down just a little longer on the second press. It takes a try or two to get the hang of.
Then you're in the target's multitasking menu
Go to the camera app, view photos, and you can share the pictures from there with email, Twitter, and more.
"........have stumbled across a huge security flaw"
for a behaviour which is careless at worst, and an actual option in the pass lock settings.
This may be a controversial viewpoint, but I definitely think the massive attention given to security problems is causing these people to hype up some feature they don't like as an important security flaw. This is ridiculous.
(Also a reason why rampant 'technology press' 'reporting' should typically be ignored, I'll bet this is already making the round on MacRumors and similar rags.)
If only Siri could validate it was your voice making the commands. But with my experience of Siri on the 4S with iOS 6, Siri fails most of the time with the simple things like "Call [name] mobile" but worse, takes ages to even fail (due to network flakiness though).
If I remember correctly, in iOS6 when interacting with Siri while the phone was locked, Siri would respond to certain commands by telling you that you needed to enter your passcode to do that.
I just tried it, and I couldn't get it to update my facebook, it just kept saying "command not found". Though I have to admit, I don't use Siri. It did seem that I would have been able to place phonecalls, but the numbers I tried were International, and I don't have an international plan.
If this is true it is an impressive security debacle for a company like Apple, "allow siri access while the iPhone is locked" should clearly be off by default, and the user should be alerted about the potential dangers when deciding to turn it on.
I was under the impression that this was by design. I guess it depends what expectations you have for a passcode lock.
My expectation is that my phone is reasonably secure from co-workers when I leave it on my desk for fifteen minutes at a time. And that if stolen, I have enough time to remote-wipe it before the passcode is bypassed.
When a door is locked I don't expect it to open by saying "let me through", with all the specific differences I think this is a reasonably common expectation to have.
You have some limited access to features while Siri is on, only if the allow with passcode option is enabled. You do not have full run of the entire phone, nor are you able to bypass the lock screen.
