My brother accidentally discovered a handy Siri trick this week while dealing with car insurance in the aftermath of a hail storm. When it came time for him to call 1-800-PROGRESSIVE and figure out his claim, for whatever reason he decide to say "Hey Siri, call 1-800-PROGRESSIVE" instead of dialing by hand...and it worked like a charm.*
Turns out, Siri can natively convert vanity phone numbers (or "phonewords") into their appropriate digits and make the phone call with no need to dust off your T9 texting talent. Need to call 1-800-FLOWERS or 1-800-CONTACTS, but can’t see those tiny letters without your contacts? Siri has you covered. And to be sure that it wasn't just Siri pulling the web results for notable brands, I asked Siri to call a few random 7-digit 1-800 numbers (like 1-800-ACTUARY and 1-800-SUNFISH) with each one working just as well as any major company's vanity digits.
Naturally, Siri still manages to drop the call ball in certain edge-cases; when I asked to call 877-CASH-NOW, Siri instead dialed 877-2274...immediately. Similarly, 877-KARS4KIDS failed to go through — this time throwing up an unhelpful "Sorry, you'll need to open the Phone app" alert. I assume that the interstitial 4 throws off whatever word recognition is going on here. Even so (like so many of Siri’s uses), the 70% success rate is still pretty handy when you need it.
* Attentive readers will note that "1-800-PROGRESSIVE" does not map neatly onto Progressive's customer service number of 1-800-776-4737, being well over seven digits. It turns out, the phone system natively truncates numbers in excess of 11 digits (including the +1 country code), ignoring any characters entered afterwards — neat!
Over the holidays, Destin Sandlin from SmarterEveryDay released a video demonstrating how many popular smart home devices (like Google Home, Amazon Echo, and even Siri) can be fed voice commands from afar with a laser. If you haven't seen it yet, go give it a watch — it's a fascinating video. Importantly, as Destin points out, this exploit likely doesn’t present much risk to the average consumer — precisely aiming finely-tuned lasers, converting a voice message into the correct beam sequence, and having proper line of sight to the target device’s MEMS microphone all present roadblocks that make this strategy pretty impractical. That being said, understanding what access your smart assistants have to your light switches, locks, and garage doors — and how secure those assistants are — is important information you should equip yourself with. So, let’s see what options we protect Siri and your iPhone from attacks like this one, as well as others.
Disabling “Hey Siri” (or Siri Entirely)
The way the laser exploit in Destin’s video works is by targeting the MEMS microphone that listens for the “Hey Siri” summon phrase and the subsequent command. Naturally, the easiest way to prevent this laser hack — or just prevent someone with a similar-enough voice from activating Siri — is disabling “Hey Siri” entirely. This means you’ll have to long-press the side button to activate Siri manually, but nothing less than physical access to your device will allow someone to trick Siri into unlocking your doors. Navigate to Settings > Siri & Search and turn the "Listen for Hey Siri" toggle off. Now, even a precisely aimed laser with encoded voice instructions aimed at your phone won't be able to trigger any action by Siri. If you are extra concerned about someone misusing Siri (despite it's many useful features), you can also disable it entirely by toggling off both "Hey Siri" and "Press Side Button for Siri".
Disabling “Hey Siri” (or Siri entirely) will also protect you from anyone hijacking your voice assistant.
Limiting Access to Your Locked Device
Siri already restricts certain actions and requests if your phone is not unlocked — for instance, asking “Where is my wife?” to find their location using Find My always requires your iPhone to be unlocked. As Destin found out in his video, unlocking a smart lock or opening a garage door also requires your iPhone to be unlocked — the operating system understands that access to a physical location is being requested, so it rightly asks for some authentication.
These toggles will allow you to restrict access to certain features of your phone while it is locked.
When it comes to less sensitive requests (like turning on a smart lightbulb), Siri is more lax by default. Luckily, some granular control exists if you’re worried about covert efforts to dim your lights. If you navigate to the “Face ID & Passcode” page in Settings, there is a section called "Allow Access When Locked" with various toggles for different tools and features. As you might guess, toggling any one of these off means that feature cannot be accessed while the phone is locked. If you toggle "Home Control" off, voice commands involving smart home devices will require you to set up a HomeKit pin to control the devices with Siri — that is, unless you unlock your phone. Disabling HomeKit access from the lock screen prevents malicious actors equipped with either laser beams or good vocal impression skills from adjusting your thermostat without permission.
