Luca Caviglione of the National Research Council of Italy and Wojciech Mazurczy of the Warsaw University of Technology warn that “malicious actors” could use Siri for stealthy data exfiltration by using a method that’s based on steganography, the practice of hiding information.
Clearly the malicious actors are hacked off that people have been stealing their pictures from the iCloud and posting them online and have taken Siri hostage.
iOS malware is also increasingly common, as the popularity of the iPhone is matched by the company’s misplaced belief in its own security vulnerability.
Mazurczy and Caviglione have demonstrated that iOS malware could become difficult to detect.
When users talk to Siri, their voice is processed with the Speex Codec, and the data is transmitted to Apple’s servers where the voice input is translated to text.
Using an attack method called iStegSiri, the “shape” of this traffic embeds sensitive data from the device. This covert channel could be used to send credit card numbers, Apple IDs, passwords, and other sensitive information from the phone to the criminals.
First, a secret message is converted into an audio sequence based on voice and silence alternation. Then, the sound pattern is provided to Siri as input through the internal microphone. Finally, the recipient of the secret message inspects the traffic going to Apple’s servers and extracts the information based on a decoding scheme..
In their experiments, Mazurczy and Caviglione managed to use this method to exfiltrate data at a rate of 0.5 bytes per second. At this speed, it would take roughly 2 minutes to send a 16-digit payment card number to the attacker.
It only works on jail broken devices and attackers somehow need to be able to intercept the modified Siri traffic. However, the researchers highlighted that the purpose of iStegSiri is to help the security community with the detection of malware on the iOS platform.
The researchers told IEEE Spectrum that they have not made specific details on iStegSiri public to prevent cybercriminals from using their work. We guess that Apple have not modified anything in the iOS to stop it happening if someone works it out.