I borrowed a passcode-locked iPhone 4S from a colleague here at Sophos and, with his permission, was able to write an email, and send a text message. If I had wanted to I could have meddled with his calendar appointments too.
All without having to enter the passcode. I’m sure you can imagine some of the ways this could potentially be abused.
Of course, this can be changed with a simple setting. I’m glad Cluley points this out, but I could do without the side order of passive-aggressive sauce[1. Oh, and the advertising in the article is nice, too.]:
What’s disappointing to me though is that Apple had a clear choice here.
They could have chosen to implement Siri securely, but instead they decided to default to a mode which is more about impressing your buddies than securing your calendar and email system.
Passcodes are good, but — as always — once physical access is acquired, all security measures are less effective.