[HN Gopher] SiriSpy - iOS bug allowed apps to eavesdrop on your ...
___________________________________________________________________
SiriSpy - iOS bug allowed apps to eavesdrop on your conversations
with Siri
Author : mnem
Score : 243 points
Date : 2022-10-26 19:11 UTC (3 hours ago)
(HTM) web link (rambo.codes)
(TXT) w3m dump (rambo.codes)
| QuackyTheDuck wrote:
| Sigh ... I so much want Apple to get their shit together. To me
| it feels like software quality reached a new low.
| [deleted]
| z9znz wrote:
| There were some stubborn bad decisions that Steve Jobs stuck to
| (1 button mouse, windows that don't appear when you cmd-tab to
| them), but his Apple seemed to have better software. Since him,
| it really seems to have gone downhill in terms of bugs and UI
| consistency.
| gw99 wrote:
| The scary thing is it's the least bad option when it comes to
| overall reliability.
| gtvwill wrote:
| Ooo that's a big depends on the situation. Making only phone
| calls. Sure iPhones are great. Running LOB apps. Lol have fun
| passing that crap through apples store. Androids way easier
| for LOB.
|
| Remote MDM? Lol nightmare using apples gear. Warranty
| services? Also a nightmare. Fleet level warranty support?
| Ahahhahhaha have fun paying folks like IBM out the kazoo. No
| thanks.
|
| iPhones are rock solid if you played w Fischer price toys as
| a kid and only ever plan to be on the public consumer end of
| the game, making calls and using apps someone else has
| decided are ok for you. Go up the line to fleet rollout or
| bulk purchasing/warranty work or running custom line of
| business apps. Ahahhahhaha have fun w apple I've done the
| work when I was w/ ibm, I refuse to touch it these days.
| plugin-baby wrote:
| What are LOB and MDM?
| gtvwill wrote:
| Line of Business, Mobile Device Management.
| codalan wrote:
| I think it depends on the phone.
|
| The Google Pixel series seems pretty solid for reliability. I
| have a Pixel 7 Pro and it's been really good so far in terms
| of software and build quality. I strongly prefer it to my
| iPhone 13 Pro, which I'm currently selling off.
|
| But iPhone vs Samsung Galaxy? iPhone wins by a mile. I never
| got used to the custom interface Samsung loaded onto those
| phones, and hated that it included Samsung-specific apps that
| just duplicated those already available by default on stock
| Android.
| gw99 wrote:
| I have an iPhone 13 Pro. I found that Android is almost a
| brick the moment you lose an Internet connection where as
| the iPhone is still productive and I can do stuff offline
| and it'll sync everything later no problems.
|
| That is a complete dealbreaker for me for Android. Also,
| Google.
| JamesonNetworks wrote:
| Pixels had a defect where emergency calls didnt work with
| MS teams installed. Both platforms wither under the lights
| Tijdreiziger wrote:
| They _still_ have problems with emergency calls.
|
| https://www.androidpolice.com/google-pixel-phones-
| struggling...
| freeplay wrote:
| Couldn't agree more. As stupid as it may be, the only reason I
| haven't moved to Andoid/GrapheneOS is iMessage.
| [deleted]
| hazyc wrote:
| Is anyone else an avid iPhone user, yet also someone who never
| uses Siri? I've used an iPhone exclusively for the past 8 years,
| and I can count on one hand the number of times I've used Siri.
| Interestingly, the one person I know who loves using Siri is my
| 70yr old dad.
| zippergz wrote:
| Yes, I have had iPhones from the beginning and I never use
| Siri.
| BudaDude wrote:
| I use Siri for setting timers and reminders. It's pretty good
| at parsing numbers. Other than that, It hasn't been very
| reliable for me. Apple really needs to overhaul Siri's
| intelligence.
| trap_goes_hot wrote:
| I use it for things like 'will it rain today' or sending quick
| texts when I am driving.
| dfee wrote:
| I use Siri all the time and am half your dads age.
|
| "Get directions to the nearest gas station.", "What's the score
| of the Giant's game?", "Play Master of Puppets", "What is 4'3"
| in centimeters?" And many, many more.
| Firmwarrior wrote:
| Man, I used to love using Siri, until I had a daughter and
| named her "Sarah"
|
| big mistake. Turns out I say "Hey Sarah" a hundred times a
| day, and all my iDevices pipe up and simultaneously say
| "Yeah?" "WHAT'S UP" "HEY OVER HERE" "Hi it's me Siri what do
| you need?"
| keepquestioning wrote:
| Why did you pick 'Sarah'
| Firmwarrior wrote:
| Late every night I cry and scream while asking myself
| this same question, surrounded by my iPhone, Apple Watch,
| 3 iPads, MacBook Pro, and Mac Studio
|
| How could I have been such a fool!???
| bigiain wrote:
| "You're naming your children wrong." -- Jeve Stobs.
| parker_mountain wrote:
| I use it pretty frequently, mostly to set timers, alarms, or
| send quick texts without getting up.
| Aaronstotle wrote:
| I only enabled Siri because it was necessary for CarPlay, it's
| about a 50% success rate on getting anything right on the first
| try.
| SigmundA wrote:
| I was that way for a long time, but the Apple TV remote got me
| using it and I now occasionally do use it on my iPhone, mainly
| while driving to play music on reply to texts. Definitely has
| come a long way and is useful, one of my friends never types
| texts anymore and just dictates through Siri.
| [deleted]
| [deleted]
| joshstrange wrote:
| My trust of what Siri is capable of is laughably low but I do
| use it for reminders ("Remind me on X day...", "Remind me in X
| hours...", "Remind me when I get home...") and for timers.
| Occasionally I'll use it for unit conversions but I usually use
| Alexa for that since I'm in my kitchen often when I use that
| and it's just right there. Other than that I don't use it.
| dylan604 wrote:
| I have never enabled Siri on any device. Precisely for fear of
| this kind of shit, or the ones where humans are listening to
| the recordings that are obviously being made, and all of the
| other logical conclusions one can reach on how this can be
| abused.
|
| Just like HDD failures, it is not a question of if but when.
| tristor wrote:
| You are not alone. I've been using an iPhone for over a decade
| now. I've had Siri turned off the entire time. I have never
| turned it on. I do not now, or ever, want a "voice assistant"
| or any technology that listens to me and tries to understand
| what I want by listening to me. I want technology that does
| exactly what I tell it to do and nothing more.
|
| Siri is a better option than the alternative "voice assistants"
| on the market, but they're all bad in my book, and I don't want
| any of them.
| nanidin wrote:
| Siri killer apps for me are asking for factoids via my watch,
| and opening my garage door as I approach while driving (my
| building uses an app that requires multiple taps + swipes to
| open the garage door, using Siri makes it palatable.)
| gleenn wrote:
| Are you using proprietary garage door software? Would live to
| have any better kind of integration there so any setup
| details that aren't crazy specific to some manufacturer would
| be interesting
| nanidin wrote:
| My apartment building recently switched to an access
| control system called Brivo. It replaced a keyfob + garage
| door opener system with an app. Overall not the greatest as
| it's now difficult to get into the building if you leave
| your phone at home.
|
| My "integration" with Siri is to set up an iOS shortcut and
| use Siri to trigger it.
| pcardoso wrote:
| Not the parent, but I use Shelly devices flashed with the
| shelly-homekit firmware and I can control them with the
| HomeKit app or Siri.
|
| I haven't bothered yet to add a open/close sensor so the
| current open state is lost if I use the remote. I have to
| invert the actions when this happens. Annoying but I only
| need to use it this way occasionally.
| bdougherty wrote:
| I only ever use it in the car with CarPlay.
| kitsunesoba wrote:
| My personal use as someone his 30s is mostly as a kitchen timer
| with a HomePod mini (not my phone), to turn on/off lights, and
| to occasionally toss things onto a to-do list.
|
| My dad on the other hand loves his full size HomePod stereo
| pair and uses them frequently, almost entirely for playing
| music with voice commands. I think there are other things he
| might find it useful for but I haven't shown him those yet.
| dilap wrote:
| Occasionally I ask her (it?) to set a timer or add a reminder,
| but mostly I don't. Siri is quite slow and frustratingly
| limited.
|
| The other day in a hurry and driving somewhere, I ended up w/
| both Apple Maps and Google Maps open, simultaneously giving me
| directions.
|
| "Hey Siri, close Google Maps"
|
| "To close an application, swipe up from the bottom of the
| phone..."
|
| To paraphrase a quote from Steve Jobs, if your voice assistant
| asks you to touch the screen, you blew it.
| pftburger wrote:
| Seconded. I get way too many "Im sorry Dave, I just can't do
| that" moments
| Kye wrote:
| Siri's performance and quality seems to depend a lot on the
| on-board ML cores since it switched to on-device. It was
| basically unusable on my 6S Plus with its early ML cores, and
| now it's great on the 14 Pro Max I replaced it with. It seems
| like they ship a Siri to match the device capability.
| BudaDude wrote:
| It makes no sense that Siri is so stunted in what she can do.
| z9znz wrote:
| No kidding! She obviously knew what was wanted, but instead
| of doing her fing job, she tells you how to do it yourself.
| She doesn't like when I tell her to F herself. I hope some
| of those recordings end up with Apple training.
| throwaway290 wrote:
| May they be hedging against a vulnerability where a
| malicious person with similar enough voice closes some
| crucial app in a sticky situation. It's not as harmless
| than setting reminders/alarms which I use Siri for.
| genewitch wrote:
| yeah like in that movie when the Bomb Squad is using
| Pocket Bomb Defuser Pro 2023 and the bomber shouts over
| the loudspeakers "Siri, Turn off Bomb Defuser Pro" and
| then everyone was sad.
|
| A moody teenager rips a poster of Jobs off their bedroom
| wall.
| knodi123 wrote:
| I switched from Android a few years ago because my company
| gives out iphones as a perk. I used "ok google" extensively,
| and loved it. It was incredibly good at answering obscure
| questions and doing things like navigating or playing a song.
| It would do what I wanted almost every time, even if I was
| trying a new command for the first time.
|
| I try to use Siri for the same things, but she suuuuuuucks. If
| I ask her to play a song, 9 out of 10 times it will do
| something idiotic- like I say "hey siri play tears in heaven on
| spotify", she might reply "now playing tears in heaven by a
| shitty kazoo cover band". If I say "navigate to the closest
| olive garden", it would say "navigating to olive garden
| corporate headquarters, estimated travel time 43 hours 12
| minutes." But never mind, I can see the olive garden I was
| looking for, it's at the end of the street I'm on.
|
| These are artificial examples because I can't remember
| specifics right now, but trust me - the real examples were just
| as dumb.
|
| She's great at setting timers or alarms though! And I can
| reliably use her to pause, skip, or adjust volume when I'm
| showering or something.
| dcdc123 wrote:
| The only reason I even have it enabled is because it is
| required for voicemail transcription.
| TheFreim wrote:
| > I know who loves using Siri is my 70yr old dad.
|
| My mother loves using Siri, she always uses it when she wants
| to look things up. It seems quite useful for people who aren't
| proficient at typing quickly, easier to ask Siri.
| asadlionpk wrote:
| I just use it in text-mode ie. Double tap siri button, type the
| thing I want (wake me 7am). Done.
| Ntrails wrote:
| I disabled it all the day it came out.
|
| I briefly enabled so I could text mum to say when I was nearly
| home. Avoids sneaking a traffic light text. Turns out it was
| waaaaaaaay more distracting and time consuming to get siri to
| text a single word, so back into the box it went
| madrox wrote:
| In my experiences working on voice OS, it's boom or bust
| depending on the user. Some people use it rarely if ever and
| some people live by it, and there's little in between. I think
| it makes sense in most cases to view voice commands as an
| accessibility feature.
| sbf501 wrote:
| iPhone user since 2009. I used Siri for about a month when it
| first came out because I really liked hearing a British man's
| voice said "SSSSHedule" to me instead of "skedule", but then I
| learned it was sending all audio to the cloud and noped out.
| z9znz wrote:
| I use Siri to set a timer. That's it. And I do it by holding my
| power button to activate her.
|
| My only other use of Siri usually involved phrases like "stop",
| "go away", "close", "fucking close!", "you stupid f _cking *_
| ** close the **** thing " when Siri would pop up out of nowhere
| and interrupt whatever I was actually doing. I had it turned
| off, but occasionally somehow it's back on, listening.
|
| Other actual attempts at using it have been no better than 50%
| effective, so it wasn't worth the trouble. And I was speaking
| very clearly and articulately.
|
| I've observed a friend (a Googler who had Google-fied his
| house) have frequent useless conversations with the Google
| assistant, so maybe 50% is the best you can hope for. No
| experience with Alexa, but I'd be too scared to even turn it
| on; I might end up with three refrigerators delivered the next
| day.
| jdwithit wrote:
| Same here. Even that simple task (setting a timer) only has
| about a 75% success rate for me. The other 25% it spins for
| 30 seconds then says "hmm something went wrong". Trying for
| anything more complex, even playing a song or album, is just
| asking for trouble. I honestly can't believe how bad Siri is
| despite years of development.
|
| I do have an older iPhone 10 and maybe it's just not up to
| the task of running Siri? But if so they should disable it
| rather than put on this extremely amateur feeling show.
|
| For what it's worth we have an Echo Dot in the house and I
| find it to be both orders of magnitude more responsive and
| more likely to actually do what I asked for. No unwanted
| refrigerators have arrived as of yet.
| aparks517 wrote:
| For sure. I stood in line for the original iPhone, owned every
| model (except the 5C) up through the 6, then an SE, X, and now
| an 11 Pro since it came out. I played around with Siri when it
| debuted, but didn't use it much. I turned it off at some point
| (I think it was when Apple was catching grief for keeping
| recordings or something like that) and haven't missed it. I'm
| not against it especially -- it just never really became part
| of my life.
| z9znz wrote:
| My colleagues and I had a moment of fun somewhere in remote
| Iceland, offroading on the way to a glacier. On an iPhone 3G,
| we were able to ask trivia questions and get pretty useful
| responses.
|
| Aside from setting a timer, I've not seen Siri do anything
| more useful in 9 years. You haven't missed anything.
| lagrange77 wrote:
| The first day i asked her for the weather, songs and alarms.
| The second day i turing tested her, asked it philosophical
| questions and insulted it the worst way. Yes, that was pretty
| much it.
| z9znz wrote:
| Ironically, she will complain if you cuss at her and call her
| names, but she won't turn herself off. And when she pops up
| without my request, and I want her to go off, it seems
| there's no verbal way to make her go away... even verbally
| abusing her.
| lapcat wrote:
| Don't forget that iOS and macOS silently re-enable Bluetooth on
| every software update.
| https://lapcatsoftware.com/articles/bluetooth.html
| [deleted]
| walterbell wrote:
| Even worse, Control Panel buttons only "suspend" BT/WiFi, you
| have to go into Settings to turn them off again ... and again
| ... and again.
| sixstringtheory wrote:
| I called this a data grab from day 1 and stand by that. The
| amount of fellow iOS developers I've had argue for the
| "convenience" is astounding. There should be a settings
| toggle to control the auto-reenable behavior.
| mikece wrote:
| I don't want stories like this to be the reason I'm glad I
| switched to Graphene OS. I don't want anyone hacked or spied on.
| aaronharnly wrote:
| Pro tip: all systems have bugs.
| [deleted]
| runjake wrote:
| A $7,000 bounty for eavesdropping and TCC (app permissions)
| vulnerabilities. Insulting.
| rtev wrote:
| This is why people sell bugs.
| [deleted]
| pxmpxm wrote:
| My first thought as well - the author must be doing this stuff
| as a hobby/for fun, because that's not nearly enough to comp
| you for the time spent.
| henriquez wrote:
| Seems like $70,000 would have been a more fair bounty. This is a
| really nasty bug.
| pvg wrote:
| _$70,000 would have been more fair_
|
| There's really no basis for this beyond its reflexive
| repetition on messageboards. You might as well type 'million
| dollar logout CSRF' in every vulnerability report thread.
| lapcat wrote:
| Here are the listed payouts from the Apple Security Bounty
| program, starting at $25,000.
| https://developer.apple.com/security-bounty/payouts/
| pvg wrote:
| The closest is
|
| _$25,000. App access to a small amount of sensitive data
| normally protected by a TCC prompt._
|
| In this case you get a misleading prompt, the access
| requires additional interactions. It's a serious bug and
| I'm all for reporters of serious bugs getting bigger
| bounties from companies that have more cash than they know
| what to do with. But simply dropping a random number in
| every single one of these threads is just noise, not even
| advocacy or technical discussion.
| TheJoeMan wrote:
| I think you missed the end of the article where any MacOS
| app could turn on your AirPods microphone without any
| permissions at all and at any time at all.
| pvg wrote:
| I didn't, it's just that 'vulnerability that requires a
| malicious app on macOS' is a much less interesting one
| that something like that for iOS.
| lapcat wrote:
| "Full TCC Bypass on macOS"
| dangerwill wrote:
| It is definitely arbitrary but part of me does think that
| surfacing such a bug is pretty important and if the monetary
| incentive was higher then we would have more white hat
| pentesters out there.
| [deleted]
| tonywastaken wrote:
| "iOS bug allowed apps to eavesdrop on your conversations with
| Siri" should be "iOS bug allowed apps to eavesdrop on your
| interactions with Siri and dictation over bluetooth"
| jdelman wrote:
| $7k feels like a paltry sum for this discovery. Rambo is doing
| yeoman's work.
| [deleted]
| tinus_hn wrote:
| Wonder if it'd also be possible to send commands to Siri, that
| could also have some implications.
| yazzku wrote:
| For the love of god, stop working for peanuts. You guys in the
| hacker/security field are gurus. $7k for this is absolutely
| insulting. Do you know how much NSO charges for Pegasus? Find out
| how much the vuln is worth in the black market, then ask Apple
| double that. That's the only reasonable way to go about this.
| Stop doing corporations' work for peanuts! Check out how much the
| lawyers in those corporations make; lawyers know the value of
| their work.
| eastbound wrote:
| The right amount for a security bounty is the sum of all assets
| covered by that vulnerability minus $1.
|
| This is the only way companies will take the right processes to
| protect those assets.
| kube-system wrote:
| The impact and difficulty of exploit are pivotal parts of
| assessing the risk of a vulnerability. It doesn't really
| matter how many dollars of things are involved if the exploit
| can't be exploited or if it's not a big deal if anyone does.
| [deleted]
| MBCook wrote:
| So he should have sold this? He's always seemed like a good
| person to me who would do that.
|
| Sit on it knowing others may find it and users are at risk?
|
| Who cares he got paid. That's not why he did it, he found it
| while developing one of his apps and reported it. Good for him.
|
| It's nice Apple paid him. I can understand thinking it should
| have been more. But what ethical alternative is there to
| reporting it?
| TheLoafOfBread wrote:
| > Find out how much the vuln is worth in the black market, then
| ask Apple double that.
|
| Well, because he is not a corporation, he will get jumped on by
| lawyers and will go to jail for blackmailing Apple.
| dylan604 wrote:
| Blackmailing? It's called negotiating from a strong position.
| TheLoafOfBread wrote:
| That really depends how will judge and lawyers look on it.
| jalla wrote:
| dylan604 wrote:
| Is that you NSA?
| freeplay wrote:
| I think they burried the lede here. Conversations with Siri are
| probably pretty generic but being able to evesdrop on keyboard
| dictation is pretty severe. I know people that use dictation for
| the majority of their text messages and email.
| aquajet wrote:
| How many people use diction? I'm surprised cause I know
| virtually no one who uses diction, myself included.
| ok_dad wrote:
| My mother does it because of arthritis. Constantly.
| jdwithit wrote:
| My father in law (mid 70s) uses it constantly to compose text
| messages. I'm not sure I've ever seen him type one.
| willis936 wrote:
| I don't for multiple reasons, not the least of which is the
| possibility of an exploit that leaks it. I don't trust
| software.
| JustSomeNobody wrote:
| I use it when I want to send a text message that's longer
| than a few words. As long as I can do that without being a
| jerk to those around me.
| throwaway290 wrote:
| I use dictation a lot, I hate typing on touchscreens and hate
| voice messages.
| dontbenebby wrote:
| >I think they burried the lede here. Conversations with Siri
| are probably pretty generic but being able to evesdrop on
| keyboard dictation is pretty severe. I know people that use
| dictation for the majority of their text messages and email.
|
| I agree with your take!!
|
| If you scroll to the "Full TCC Bypass on macOS" portion, you
| can see that this bug allows folks to turn on an Airpod and
| direct that audio to a macOS device. This could enable what is
| known as a Tempest Attack[0,1]
|
| >BTLEServerAgent did not have any entitlement checks or TCC
| prompts in place for its com.apple.BTLEAudioController.xpc
| service, so any process on the system could connect to it, send
| requests, and receive audio frames from AirPods. This exploit
| would only work on macOS, because the more restricted sandbox
| of iOS prevents apps from accessing most global mach services
| directly.
|
| Stuff like that are why I hate Bluetooth in general, and I'm on
| the fence if either my laptop OR phone will be Apple products
| when I replace them.
|
| (They seem to cater to people who replace their devices every
| year and camp out outside the Apple store for new Apple stuff
| like nerds rather than the folks who didn't want to spend every
| weekend messing with kernel drivers and thus adopted what I
| will continue to refer to as "shiny BSD" even though they long
| since changed the name from OSX to macOS.)
|
| -- [0]
| https://en.wikipedia.org/wiki/Tempest_(codename)#Public_rese...
| [1]
| http://m6rqq6kocsyugo2laitup5nn32bwm3lh677chuodjfmggczoafzw[...
| cstejerean wrote:
| Even worse, it looks like on MacOS you can just straight up
| start recording on-demand, no need for dictation or siri.
|
| > Even worse, this particular exploit would also allow the app
| to request DoAP audio on-demand, bypassing the need to wait for
| the user to talk to Siri or use dictation.
| traceroute66 wrote:
| I'm an avid iPhone user but have never had the need or the desire
| to use Siri.
|
| I suggest people do what I do, load a profile that disables Siri
| - easily created using the Apple Configurator tool (under
| "Restrictions" untick "Allow Siri").
|
| N.B. I've never looked closely under Settings on the phone
| itself, there may well be Siri off option there ? But I just load
| profiles as I find its easier for hardening.
| TheLoafOfBread wrote:
| Unimportant bug, nobody is using voice assistants since hype has
| worn out cca 5 years ago.
| bryceacc wrote:
| first sentence:
|
| "and audio from the iOS keyboard dictation feature"
| TheLoafOfBread wrote:
| And who is using that? Half of characters are misspelled,
| second half misunderstood. Nobody has time to argue with a
| phone.
| asah wrote:
| Android it works pretty much perfectly and you can speak at
| normal speed.
|
| With Android it pretty much works perfectly and you can
| speak at normal speed. <== Same sentence dictated at full
| speed.
| TheLoafOfBread wrote:
| Yeah not for me. Android, nor Siri, nor Alexa.
| walterbell wrote:
| If an iOS app did not have "Background App Refresh" permission,
| could it still have exploited this vulnerability?
|
| Can physical microphones be removed from Apple devices by a
| repair shop, while still allowing use of wired/wireless headsets?
|
| We need Purism-style hardware kill switches for microphones,
| cameras and radios.
| MBCook wrote:
| Note this Bluetooth only.
| walterbell wrote:
| Yes, the question is how to permanently restrict the attack
| surface / time windows for audio and video surveillance
| attacks.
| dontbenebby wrote:
| It's not really a question, hardware switches work and
| companies refuse to put them in so they can... shrink the
| profile of devices in ways that rely on rare earth minerals
| to an unsustainable degree when combined with the typical
| replacement rate.
| walterbell wrote:
| Hopefully legislated right-to-repair can open the door to
| aftermarket mods, including phone body with new switches
| that can electrically disconnect specific sensors.
| ASalazarMX wrote:
| Instead of Bluetooth defaulting to on, and re-enabling
| itself next day if you turn it off from the control center,
| I'd like for Bluetooth to default to off. You'd have to
| enable it from the control center, and it would disable
| itself after a certain period of inactivity.
|
| I suppose that won't happen, as it would wreck the Find Me
| network if it depends solely on Bluetooth.
| byteduck wrote:
| When you turn off bluetooth from CC, it's not even
| turning it off. The radio is still on - it just doesn't
| make any new connections. You have to turn it off in
| preferences for that.
| walterbell wrote:
| That would be a good safety-first default. If Control
| Center could have buttons linked to iOS Automations for
| radio state, then advanced users could control this
| behavior with custom scripts.
|
| _> wreck the Find Me network if it depends solely on
| Bluetooth_
|
| Find Me presumably uses all identifiable radios,
| including BT, UWB, Wi-Fi.
___________________________________________________________________
(page generated 2022-10-26 23:00 UTC)