A newly discovered flaw within both Apple iOS and macOS operating systems will allow apps with Bluetooth access to listen to your Siri conversations. Security researcher Guilherme Rambo discovered the bug, dubbed “SiriSpy”, and Apple confirmed the issue as resolved with the iOS 16.1 update.
“An app may be able to record audio using a pair of connected AirPods,” according to an Apple statement. Rambo found that Beats headphones are also vulnerable. Beats headphones are owned by Apple.
The finding is alarming as Siri conversations frequently include information that is sensitive, may reveal geographic location, or other personal details.
Rambo found in a proof-of-concept that a malicious third party app could create audio recording snippets of Siri conversations without the user’s knowledge. “If an attacker wanted, they could exfiltrate those snippets to a remote system and wipe them locally, leaving no trace of the covert eavesdropping activity.”
Furthermore, “this would happen without the app requesting microphone access permission and without the app leaving any trace that it was listening to the microphone,” added Rambo.
Mitigation for SiriSpy
The issue was officially addressed within the iOS 16.1 update, which included fixes for other 20 other flaws. “SiriSpy” was given an official CVE-2022-32946 designation.
Rambo also disclosed on his blog that Apple simply denied third party app access to AirPods DoAP over BLE GATT.
“The main issue – direct access to AirPods DoAP over BLE GATT – was addressed by restricting access to the service. Even though AirPods and iPhones, Macs, etc are standard Bluetooth devices, Apple has a system in place to limit which services third-party apps can access, so they just added the DoAP service to that deny list.”
Siri, which by design will record and transcribe the speaker’s conversation back to Apple servers for processing and response, have been plagued with security concerns.
Previously, it was even found that Apple contractors were able to review content which frequently included privacy-invasive recordings.
Rambo was awarded $7,000 for his responsible bug disclosure to Apple.
Discover more from Cybersecurity Careers Blog
Subscribe to get the latest posts sent to your email.
