[HN Gopher] SiriSpy - iOS bug allowed apps to eavesdrop on your ... ___________________________________________________________________ SiriSpy - iOS bug allowed apps to eavesdrop on your conversations with Siri Author : mnem Score : 243 points Date : 2022-10-26 19:11 UTC (3 hours ago) (HTM) web link (rambo.codes) (TXT) w3m dump (rambo.codes) | QuackyTheDuck wrote: | Sigh ... I so much want Apple to get their shit together. To me | it feels like software quality reached a new low. | [deleted] | z9znz wrote: | There were some stubborn bad decisions that Steve Jobs stuck to | (1 button mouse, windows that don't appear when you cmd-tab to | them), but his Apple seemed to have better software. Since him, | it really seems to have gone downhill in terms of bugs and UI | consistency. | gw99 wrote: | The scary thing is it's the least bad option when it comes to | overall reliability. | gtvwill wrote: | Ooo that's a big depends on the situation. Making only phone | calls. Sure iPhones are great. Running LOB apps. Lol have fun | passing that crap through apples store. Androids way easier | for LOB. | | Remote MDM? Lol nightmare using apples gear. Warranty | services? Also a nightmare. Fleet level warranty support? | Ahahhahhaha have fun paying folks like IBM out the kazoo. No | thanks. | | iPhones are rock solid if you played w Fischer price toys as | a kid and only ever plan to be on the public consumer end of | the game, making calls and using apps someone else has | decided are ok for you. Go up the line to fleet rollout or | bulk purchasing/warranty work or running custom line of | business apps. Ahahhahhaha have fun w apple I've done the | work when I was w/ ibm, I refuse to touch it these days. | plugin-baby wrote: | What are LOB and MDM? | gtvwill wrote: | Line of Business, Mobile Device Management. | codalan wrote: | I think it depends on the phone. | | The Google Pixel series seems pretty solid for reliability. I | have a Pixel 7 Pro and it's been really good so far in terms | of software and build quality. I strongly prefer it to my | iPhone 13 Pro, which I'm currently selling off. | | But iPhone vs Samsung Galaxy? iPhone wins by a mile. I never | got used to the custom interface Samsung loaded onto those | phones, and hated that it included Samsung-specific apps that | just duplicated those already available by default on stock | Android. | gw99 wrote: | I have an iPhone 13 Pro. I found that Android is almost a | brick the moment you lose an Internet connection where as | the iPhone is still productive and I can do stuff offline | and it'll sync everything later no problems. | | That is a complete dealbreaker for me for Android. Also, | Google. | JamesonNetworks wrote: | Pixels had a defect where emergency calls didnt work with | MS teams installed. Both platforms wither under the lights | Tijdreiziger wrote: | They _still_ have problems with emergency calls. | | https://www.androidpolice.com/google-pixel-phones- | struggling... | freeplay wrote: | Couldn't agree more. As stupid as it may be, the only reason I | haven't moved to Andoid/GrapheneOS is iMessage. | [deleted] | hazyc wrote: | Is anyone else an avid iPhone user, yet also someone who never | uses Siri? I've used an iPhone exclusively for the past 8 years, | and I can count on one hand the number of times I've used Siri. | Interestingly, the one person I know who loves using Siri is my | 70yr old dad. | zippergz wrote: | Yes, I have had iPhones from the beginning and I never use | Siri. | BudaDude wrote: | I use Siri for setting timers and reminders. It's pretty good | at parsing numbers. Other than that, It hasn't been very | reliable for me. Apple really needs to overhaul Siri's | intelligence. | trap_goes_hot wrote: | I use it for things like 'will it rain today' or sending quick | texts when I am driving. | dfee wrote: | I use Siri all the time and am half your dads age. | | "Get directions to the nearest gas station.", "What's the score | of the Giant's game?", "Play Master of Puppets", "What is 4'3" | in centimeters?" And many, many more. | Firmwarrior wrote: | Man, I used to love using Siri, until I had a daughter and | named her "Sarah" | | big mistake. Turns out I say "Hey Sarah" a hundred times a | day, and all my iDevices pipe up and simultaneously say | "Yeah?" "WHAT'S UP" "HEY OVER HERE" "Hi it's me Siri what do | you need?" | keepquestioning wrote: | Why did you pick 'Sarah' | Firmwarrior wrote: | Late every night I cry and scream while asking myself | this same question, surrounded by my iPhone, Apple Watch, | 3 iPads, MacBook Pro, and Mac Studio | | How could I have been such a fool!??? | bigiain wrote: | "You're naming your children wrong." -- Jeve Stobs. | parker_mountain wrote: | I use it pretty frequently, mostly to set timers, alarms, or | send quick texts without getting up. | Aaronstotle wrote: | I only enabled Siri because it was necessary for CarPlay, it's | about a 50% success rate on getting anything right on the first | try. | SigmundA wrote: | I was that way for a long time, but the Apple TV remote got me | using it and I now occasionally do use it on my iPhone, mainly | while driving to play music on reply to texts. Definitely has | come a long way and is useful, one of my friends never types | texts anymore and just dictates through Siri. | [deleted] | [deleted] | joshstrange wrote: | My trust of what Siri is capable of is laughably low but I do | use it for reminders ("Remind me on X day...", "Remind me in X | hours...", "Remind me when I get home...") and for timers. | Occasionally I'll use it for unit conversions but I usually use | Alexa for that since I'm in my kitchen often when I use that | and it's just right there. Other than that I don't use it. | dylan604 wrote: | I have never enabled Siri on any device. Precisely for fear of | this kind of shit, or the ones where humans are listening to | the recordings that are obviously being made, and all of the | other logical conclusions one can reach on how this can be | abused. | | Just like HDD failures, it is not a question of if but when. | tristor wrote: | You are not alone. I've been using an iPhone for over a decade | now. I've had Siri turned off the entire time. I have never | turned it on. I do not now, or ever, want a "voice assistant" | or any technology that listens to me and tries to understand | what I want by listening to me. I want technology that does | exactly what I tell it to do and nothing more. | | Siri is a better option than the alternative "voice assistants" | on the market, but they're all bad in my book, and I don't want | any of them. | nanidin wrote: | Siri killer apps for me are asking for factoids via my watch, | and opening my garage door as I approach while driving (my | building uses an app that requires multiple taps + swipes to | open the garage door, using Siri makes it palatable.) | gleenn wrote: | Are you using proprietary garage door software? Would live to | have any better kind of integration there so any setup | details that aren't crazy specific to some manufacturer would | be interesting | nanidin wrote: | My apartment building recently switched to an access | control system called Brivo. It replaced a keyfob + garage | door opener system with an app. Overall not the greatest as | it's now difficult to get into the building if you leave | your phone at home. | | My "integration" with Siri is to set up an iOS shortcut and | use Siri to trigger it. | pcardoso wrote: | Not the parent, but I use Shelly devices flashed with the | shelly-homekit firmware and I can control them with the | HomeKit app or Siri. | | I haven't bothered yet to add a open/close sensor so the | current open state is lost if I use the remote. I have to | invert the actions when this happens. Annoying but I only | need to use it this way occasionally. | bdougherty wrote: | I only ever use it in the car with CarPlay. | kitsunesoba wrote: | My personal use as someone his 30s is mostly as a kitchen timer | with a HomePod mini (not my phone), to turn on/off lights, and | to occasionally toss things onto a to-do list. | | My dad on the other hand loves his full size HomePod stereo | pair and uses them frequently, almost entirely for playing | music with voice commands. I think there are other things he | might find it useful for but I haven't shown him those yet. | dilap wrote: | Occasionally I ask her (it?) to set a timer or add a reminder, | but mostly I don't. Siri is quite slow and frustratingly | limited. | | The other day in a hurry and driving somewhere, I ended up w/ | both Apple Maps and Google Maps open, simultaneously giving me | directions. | | "Hey Siri, close Google Maps" | | "To close an application, swipe up from the bottom of the | phone..." | | To paraphrase a quote from Steve Jobs, if your voice assistant | asks you to touch the screen, you blew it. | pftburger wrote: | Seconded. I get way too many "Im sorry Dave, I just can't do | that" moments | Kye wrote: | Siri's performance and quality seems to depend a lot on the | on-board ML cores since it switched to on-device. It was | basically unusable on my 6S Plus with its early ML cores, and | now it's great on the 14 Pro Max I replaced it with. It seems | like they ship a Siri to match the device capability. | BudaDude wrote: | It makes no sense that Siri is so stunted in what she can do. | z9znz wrote: | No kidding! She obviously knew what was wanted, but instead | of doing her fing job, she tells you how to do it yourself. | She doesn't like when I tell her to F herself. I hope some | of those recordings end up with Apple training. | throwaway290 wrote: | May they be hedging against a vulnerability where a | malicious person with similar enough voice closes some | crucial app in a sticky situation. It's not as harmless | than setting reminders/alarms which I use Siri for. | genewitch wrote: | yeah like in that movie when the Bomb Squad is using | Pocket Bomb Defuser Pro 2023 and the bomber shouts over | the loudspeakers "Siri, Turn off Bomb Defuser Pro" and | then everyone was sad. | | A moody teenager rips a poster of Jobs off their bedroom | wall. | knodi123 wrote: | I switched from Android a few years ago because my company | gives out iphones as a perk. I used "ok google" extensively, | and loved it. It was incredibly good at answering obscure | questions and doing things like navigating or playing a song. | It would do what I wanted almost every time, even if I was | trying a new command for the first time. | | I try to use Siri for the same things, but she suuuuuuucks. If | I ask her to play a song, 9 out of 10 times it will do | something idiotic- like I say "hey siri play tears in heaven on | spotify", she might reply "now playing tears in heaven by a | shitty kazoo cover band". If I say "navigate to the closest | olive garden", it would say "navigating to olive garden | corporate headquarters, estimated travel time 43 hours 12 | minutes." But never mind, I can see the olive garden I was | looking for, it's at the end of the street I'm on. | | These are artificial examples because I can't remember | specifics right now, but trust me - the real examples were just | as dumb. | | She's great at setting timers or alarms though! And I can | reliably use her to pause, skip, or adjust volume when I'm | showering or something. | dcdc123 wrote: | The only reason I even have it enabled is because it is | required for voicemail transcription. | TheFreim wrote: | > I know who loves using Siri is my 70yr old dad. | | My mother loves using Siri, she always uses it when she wants | to look things up. It seems quite useful for people who aren't | proficient at typing quickly, easier to ask Siri. | asadlionpk wrote: | I just use it in text-mode ie. Double tap siri button, type the | thing I want (wake me 7am). Done. | Ntrails wrote: | I disabled it all the day it came out. | | I briefly enabled so I could text mum to say when I was nearly | home. Avoids sneaking a traffic light text. Turns out it was | waaaaaaaay more distracting and time consuming to get siri to | text a single word, so back into the box it went | madrox wrote: | In my experiences working on voice OS, it's boom or bust | depending on the user. Some people use it rarely if ever and | some people live by it, and there's little in between. I think | it makes sense in most cases to view voice commands as an | accessibility feature. | sbf501 wrote: | iPhone user since 2009. I used Siri for about a month when it | first came out because I really liked hearing a British man's | voice said "SSSSHedule" to me instead of "skedule", but then I | learned it was sending all audio to the cloud and noped out. | z9znz wrote: | I use Siri to set a timer. That's it. And I do it by holding my | power button to activate her. | | My only other use of Siri usually involved phrases like "stop", | "go away", "close", "fucking close!", "you stupid f _cking *_ | ** close the **** thing " when Siri would pop up out of nowhere | and interrupt whatever I was actually doing. I had it turned | off, but occasionally somehow it's back on, listening. | | Other actual attempts at using it have been no better than 50% | effective, so it wasn't worth the trouble. And I was speaking | very clearly and articulately. | | I've observed a friend (a Googler who had Google-fied his | house) have frequent useless conversations with the Google | assistant, so maybe 50% is the best you can hope for. No | experience with Alexa, but I'd be too scared to even turn it | on; I might end up with three refrigerators delivered the next | day. | jdwithit wrote: | Same here. Even that simple task (setting a timer) only has | about a 75% success rate for me. The other 25% it spins for | 30 seconds then says "hmm something went wrong". Trying for | anything more complex, even playing a song or album, is just | asking for trouble. I honestly can't believe how bad Siri is | despite years of development. | | I do have an older iPhone 10 and maybe it's just not up to | the task of running Siri? But if so they should disable it | rather than put on this extremely amateur feeling show. | | For what it's worth we have an Echo Dot in the house and I | find it to be both orders of magnitude more responsive and | more likely to actually do what I asked for. No unwanted | refrigerators have arrived as of yet. | aparks517 wrote: | For sure. I stood in line for the original iPhone, owned every | model (except the 5C) up through the 6, then an SE, X, and now | an 11 Pro since it came out. I played around with Siri when it | debuted, but didn't use it much. I turned it off at some point | (I think it was when Apple was catching grief for keeping | recordings or something like that) and haven't missed it. I'm | not against it especially -- it just never really became part | of my life. | z9znz wrote: | My colleagues and I had a moment of fun somewhere in remote | Iceland, offroading on the way to a glacier. On an iPhone 3G, | we were able to ask trivia questions and get pretty useful | responses. | | Aside from setting a timer, I've not seen Siri do anything | more useful in 9 years. You haven't missed anything. | lagrange77 wrote: | The first day i asked her for the weather, songs and alarms. | The second day i turing tested her, asked it philosophical | questions and insulted it the worst way. Yes, that was pretty | much it. | z9znz wrote: | Ironically, she will complain if you cuss at her and call her | names, but she won't turn herself off. And when she pops up | without my request, and I want her to go off, it seems | there's no verbal way to make her go away... even verbally | abusing her. | lapcat wrote: | Don't forget that iOS and macOS silently re-enable Bluetooth on | every software update. | https://lapcatsoftware.com/articles/bluetooth.html | [deleted] | walterbell wrote: | Even worse, Control Panel buttons only "suspend" BT/WiFi, you | have to go into Settings to turn them off again ... and again | ... and again. | sixstringtheory wrote: | I called this a data grab from day 1 and stand by that. The | amount of fellow iOS developers I've had argue for the | "convenience" is astounding. There should be a settings | toggle to control the auto-reenable behavior. | mikece wrote: | I don't want stories like this to be the reason I'm glad I | switched to Graphene OS. I don't want anyone hacked or spied on. | aaronharnly wrote: | Pro tip: all systems have bugs. | [deleted] | runjake wrote: | A $7,000 bounty for eavesdropping and TCC (app permissions) | vulnerabilities. Insulting. | rtev wrote: | This is why people sell bugs. | [deleted] | pxmpxm wrote: | My first thought as well - the author must be doing this stuff | as a hobby/for fun, because that's not nearly enough to comp | you for the time spent. | henriquez wrote: | Seems like $70,000 would have been a more fair bounty. This is a | really nasty bug. | pvg wrote: | _$70,000 would have been more fair_ | | There's really no basis for this beyond its reflexive | repetition on messageboards. You might as well type 'million | dollar logout CSRF' in every vulnerability report thread. | lapcat wrote: | Here are the listed payouts from the Apple Security Bounty | program, starting at $25,000. | https://developer.apple.com/security-bounty/payouts/ | pvg wrote: | The closest is | | _$25,000. App access to a small amount of sensitive data | normally protected by a TCC prompt._ | | In this case you get a misleading prompt, the access | requires additional interactions. It's a serious bug and | I'm all for reporters of serious bugs getting bigger | bounties from companies that have more cash than they know | what to do with. But simply dropping a random number in | every single one of these threads is just noise, not even | advocacy or technical discussion. | TheJoeMan wrote: | I think you missed the end of the article where any MacOS | app could turn on your AirPods microphone without any | permissions at all and at any time at all. | pvg wrote: | I didn't, it's just that 'vulnerability that requires a | malicious app on macOS' is a much less interesting one | that something like that for iOS. | lapcat wrote: | "Full TCC Bypass on macOS" | dangerwill wrote: | It is definitely arbitrary but part of me does think that | surfacing such a bug is pretty important and if the monetary | incentive was higher then we would have more white hat | pentesters out there. | [deleted] | tonywastaken wrote: | "iOS bug allowed apps to eavesdrop on your conversations with | Siri" should be "iOS bug allowed apps to eavesdrop on your | interactions with Siri and dictation over bluetooth" | jdelman wrote: | $7k feels like a paltry sum for this discovery. Rambo is doing | yeoman's work. | [deleted] | tinus_hn wrote: | Wonder if it'd also be possible to send commands to Siri, that | could also have some implications. | yazzku wrote: | For the love of god, stop working for peanuts. You guys in the | hacker/security field are gurus. $7k for this is absolutely | insulting. Do you know how much NSO charges for Pegasus? Find out | how much the vuln is worth in the black market, then ask Apple | double that. That's the only reasonable way to go about this. | Stop doing corporations' work for peanuts! Check out how much the | lawyers in those corporations make; lawyers know the value of | their work. | eastbound wrote: | The right amount for a security bounty is the sum of all assets | covered by that vulnerability minus $1. | | This is the only way companies will take the right processes to | protect those assets. | kube-system wrote: | The impact and difficulty of exploit are pivotal parts of | assessing the risk of a vulnerability. It doesn't really | matter how many dollars of things are involved if the exploit | can't be exploited or if it's not a big deal if anyone does. | [deleted] | MBCook wrote: | So he should have sold this? He's always seemed like a good | person to me who would do that. | | Sit on it knowing others may find it and users are at risk? | | Who cares he got paid. That's not why he did it, he found it | while developing one of his apps and reported it. Good for him. | | It's nice Apple paid him. I can understand thinking it should | have been more. But what ethical alternative is there to | reporting it? | TheLoafOfBread wrote: | > Find out how much the vuln is worth in the black market, then | ask Apple double that. | | Well, because he is not a corporation, he will get jumped on by | lawyers and will go to jail for blackmailing Apple. | dylan604 wrote: | Blackmailing? It's called negotiating from a strong position. | TheLoafOfBread wrote: | That really depends how will judge and lawyers look on it. | jalla wrote: | dylan604 wrote: | Is that you NSA? | freeplay wrote: | I think they burried the lede here. Conversations with Siri are | probably pretty generic but being able to evesdrop on keyboard | dictation is pretty severe. I know people that use dictation for | the majority of their text messages and email. | aquajet wrote: | How many people use diction? I'm surprised cause I know | virtually no one who uses diction, myself included. | ok_dad wrote: | My mother does it because of arthritis. Constantly. | jdwithit wrote: | My father in law (mid 70s) uses it constantly to compose text | messages. I'm not sure I've ever seen him type one. | willis936 wrote: | I don't for multiple reasons, not the least of which is the | possibility of an exploit that leaks it. I don't trust | software. | JustSomeNobody wrote: | I use it when I want to send a text message that's longer | than a few words. As long as I can do that without being a | jerk to those around me. | throwaway290 wrote: | I use dictation a lot, I hate typing on touchscreens and hate | voice messages. | dontbenebby wrote: | >I think they burried the lede here. Conversations with Siri | are probably pretty generic but being able to evesdrop on | keyboard dictation is pretty severe. I know people that use | dictation for the majority of their text messages and email. | | I agree with your take!! | | If you scroll to the "Full TCC Bypass on macOS" portion, you | can see that this bug allows folks to turn on an Airpod and | direct that audio to a macOS device. This could enable what is | known as a Tempest Attack[0,1] | | >BTLEServerAgent did not have any entitlement checks or TCC | prompts in place for its com.apple.BTLEAudioController.xpc | service, so any process on the system could connect to it, send | requests, and receive audio frames from AirPods. This exploit | would only work on macOS, because the more restricted sandbox | of iOS prevents apps from accessing most global mach services | directly. | | Stuff like that are why I hate Bluetooth in general, and I'm on | the fence if either my laptop OR phone will be Apple products | when I replace them. | | (They seem to cater to people who replace their devices every | year and camp out outside the Apple store for new Apple stuff | like nerds rather than the folks who didn't want to spend every | weekend messing with kernel drivers and thus adopted what I | will continue to refer to as "shiny BSD" even though they long | since changed the name from OSX to macOS.) | | -- [0] | https://en.wikipedia.org/wiki/Tempest_(codename)#Public_rese... | [1] | http://m6rqq6kocsyugo2laitup5nn32bwm3lh677chuodjfmggczoafzw[... | cstejerean wrote: | Even worse, it looks like on MacOS you can just straight up | start recording on-demand, no need for dictation or siri. | | > Even worse, this particular exploit would also allow the app | to request DoAP audio on-demand, bypassing the need to wait for | the user to talk to Siri or use dictation. | traceroute66 wrote: | I'm an avid iPhone user but have never had the need or the desire | to use Siri. | | I suggest people do what I do, load a profile that disables Siri | - easily created using the Apple Configurator tool (under | "Restrictions" untick "Allow Siri"). | | N.B. I've never looked closely under Settings on the phone | itself, there may well be Siri off option there ? But I just load | profiles as I find its easier for hardening. | TheLoafOfBread wrote: | Unimportant bug, nobody is using voice assistants since hype has | worn out cca 5 years ago. | bryceacc wrote: | first sentence: | | "and audio from the iOS keyboard dictation feature" | TheLoafOfBread wrote: | And who is using that? Half of characters are misspelled, | second half misunderstood. Nobody has time to argue with a | phone. | asah wrote: | Android it works pretty much perfectly and you can speak at | normal speed. | | With Android it pretty much works perfectly and you can | speak at normal speed. <== Same sentence dictated at full | speed. | TheLoafOfBread wrote: | Yeah not for me. Android, nor Siri, nor Alexa. | walterbell wrote: | If an iOS app did not have "Background App Refresh" permission, | could it still have exploited this vulnerability? | | Can physical microphones be removed from Apple devices by a | repair shop, while still allowing use of wired/wireless headsets? | | We need Purism-style hardware kill switches for microphones, | cameras and radios. | MBCook wrote: | Note this Bluetooth only. | walterbell wrote: | Yes, the question is how to permanently restrict the attack | surface / time windows for audio and video surveillance | attacks. | dontbenebby wrote: | It's not really a question, hardware switches work and | companies refuse to put them in so they can... shrink the | profile of devices in ways that rely on rare earth minerals | to an unsustainable degree when combined with the typical | replacement rate. | walterbell wrote: | Hopefully legislated right-to-repair can open the door to | aftermarket mods, including phone body with new switches | that can electrically disconnect specific sensors. | ASalazarMX wrote: | Instead of Bluetooth defaulting to on, and re-enabling | itself next day if you turn it off from the control center, | I'd like for Bluetooth to default to off. You'd have to | enable it from the control center, and it would disable | itself after a certain period of inactivity. | | I suppose that won't happen, as it would wreck the Find Me | network if it depends solely on Bluetooth. | byteduck wrote: | When you turn off bluetooth from CC, it's not even | turning it off. The radio is still on - it just doesn't | make any new connections. You have to turn it off in | preferences for that. | walterbell wrote: | That would be a good safety-first default. If Control | Center could have buttons linked to iOS Automations for | radio state, then advanced users could control this | behavior with custom scripts. | | _> wreck the Find Me network if it depends solely on | Bluetooth_ | | Find Me presumably uses all identifiable radios, | including BT, UWB, Wi-Fi. ___________________________________________________________________ (page generated 2022-10-26 23:00 UTC)