Several security sites are reporting the default setting on the iPhone 4s is to have the Siri voice command system be accessible even if the phone is locked. This means that if anybody gets a hold of your phone, even for a few seconds and even if it is locked, they can say a few words and perform a whole range of tasks which will seem as if they were being performed by you: send text messages, make and cancel appointments, delete people from your contact list, and so forth. Siri does not distinguish your voice from the voices of others. If it can recognize the words it executes the command.
I can only presume that Apple made this decision because currently you can answer calls and recieve text messages without unlocking your phone. Some of the actions you might want Siri to perform, such as forwarding an incoming call, might involve those things. Unfortunately the potential for mischief and malice is huge. Not to mention a whole new range of variations on the butt dialing phenomenon. So I recommend that ALL iPhone users change the Siri settings to make Siri unavailable when the phone is locked with a passcode. Fortunately that is easily done.
Frankly, Apple’s choice of convenience over security in the default settings represents outdated thinking. There once was a time when you bought a home wireless hub or router and the security was disabled by default (all you had to do was plug it in and it would immediately be accessible from all the devices in your home, not to mention your neighbors’ homes and people driving by on the street, etc.). Now home wireless hubs and routers all have security turned on by default and the number of open hotspots one finds in residential neighborhoods has dropped dramatically.
However, having Siri be disabled when the phone is locked with a passcode does not help if you never lock your smartphone. Newly purchased iPhones do not have a password and do not have a timer to lock the screen after a period of inactivity. Unless those defaults are changed, the phone is completely available if it falls into malicious hands even if only briefly. That is another major concern of security experts. Way too many American users never set the passcode or inactivity timer because they feel it is too much trouble to unlock it. Modern smartphones are essentially the equivalent of a personal computer in terms of privacy concerns. Even the most minimally security conscious person has a login and screen saver password on their laptop computer. Yet many leave their smartphone wide open all the time.
With convenience cited as the reason why most people leave their smartphones unlocked, phone manufacturers are trying to position themselves in that regard. The next release of Android (code name Ice Cream Sandwich) will have facial recognition unlocking, Microsoft’s Windows 8 will have a picture password feature (where the password is made by touching a sequence of points on a screen picture) and other gesture-to-unlock features and utilities are also being presented. Each of these may have their own potential flaws (such as facial recognition being fooled by a picture or gestures being able to be observed and used by others). However they are all much more secure than an always unlocked phone or tablet.