Siri protocol may let hackers intercept iPhone users

A recent post showing the protocols used by Siri, the voice-activated assistant in Apple’s iPhone 4S, may open the doors to attackers to make the smartphone betray its owner, a computer security firm warned.
Trend Micro said an attacker who can spoof the technical requirements and fool Siri into thinking it is communicating with Apple’s servers can intercept Siri communications.
“The most obvious attack is to play man-in-the-middle and capture all Siri requests and responses. This alone may be useful, but the questions you ask Siri might betray what you are working on. Soon, we can easily start changing answers like altering stock quotes, or replacing a request to call a colleague from your contact list. This can be replaced with a request to call a different number that will forward the call to the original person you intended to call, and record the conversation,” it said in a blog post.
While it said this would require inside knowledge of the victim’s address book, it “appears possible to a determined attacker.”
Such attacks will require that the attacker successfully load a self-signed certificate into the device and control the local DNS, to successfully intercept Siri communications.
Trend Micro suggested that Apple move to a challenge-response authentication system, requiring that the server SSL key matches a given key ID, or is signed by a key with a set ID.
Earlier, researchers at Applidium published its findings about the protocol used by Siri, which processes requests via servers at Apple.
Such requests are mapped into commands that the iPhone can understand, and then sent back to the device.
“One must also hijack DNS so that the phone would think is at an IP address that you control,” it noted.
Yet, Trend Micro said the publication of the protocols also show Siri can be ported to any device with a valid iPhone 4S ID.
One can even build a Siri server for existing Siri-capable devices to talk to.
This can be utilized for home use for commands like “turn on the light” or “close the garage door,” or even be done within a business, it said.
“Imagine integrating such a system with your everyday tools to make workflow voice interactive. Anything you can script, you can ask Siri about,” it said. — TJD, GMA News
Next Post »