A recent post showing the protocols used by Siri, the
voice-activated assistant in Apple’s iPhone 4S, may open the doors to
attackers to make the smartphone betray its owner, a computer security
firm warned.
Trend Micro said an attacker who
can spoof the technical requirements and fool Siri into thinking it is
communicating with Apple’s servers can intercept Siri communications.
“The most obvious attack is to play man-in-the-middle and capture all
Siri requests and responses. This alone may be useful, but the questions
you ask Siri might betray what you are working on. Soon, we can easily
start changing answers like altering stock quotes, or replacing a
request to call a colleague from your contact list. This can be replaced
with a request to call a different number that will forward the call to
the original person you intended to call, and record the conversation,”
it said in a blog post.
While it said this would require inside knowledge of the victim’s address book, it “appears possible to a determined attacker.”
Such attacks will require that the attacker successfully load a
self-signed certificate into the device and control the local DNS, to
successfully intercept Siri communications.
Trend Micro suggested that Apple move to a challenge-response
authentication system, requiring that the server SSL key matches a given
key ID, or is signed by a key with a set ID.
Earlier, researchers at Applidium published its findings about the
protocol used by Siri, which processes requests via servers at Apple.
Such requests are mapped into commands that the iPhone can understand, and then sent back to the device.
“One must also hijack DNS so that the phone would think guzzoni.apple.com is at an IP address that you control,” it noted.
Yet, Trend Micro said the publication of the protocols also show Siri can be ported to any device with a valid iPhone 4S ID.
One can even build a Siri server for existing Siri-capable devices to talk to.
This can be utilized for home use for commands like “turn on the light”
or “close the garage door,” or even be done within a business, it said.
“Imagine integrating such a system with your everyday tools to make
workflow voice interactive. Anything you can script, you can ask Siri
about,” it said. — TJD, GMA News
This is dummy text. It is not meant to be read. Accordingly, it is difficult to figure out when to end it. But then, this is dummy text. It is not meant to be read. Period.
ConversionConversion EmoticonEmoticon