Siri Protocol Cracked

First time accepted submitter jisom writes with something that will probably not be working come morning. Quoting the source: "Today, we managed to crack open Siri's protocol. As a result, we are able to use Siri's recognition engine from any device. Yes, that means anyone could now write an Android app that uses the real Siri! Or use Siri on an iPad! And we're going to share this know-how with you." Basically, Siri sends the data to the processing server using non-standard HTTP extensions. Of note is that the audio is encoded using Ogg Speex.

You still need iPhone 4S

[CmdrPony]

While you could write an Android app or anything else, the protocol sends an unique ID with the request. That ID is unique to every iPhone 4S. End result being, you can probably use your own for your personal use, but if you try to sell an App for Android and include your ID with it, Apple will just blacklist it. So you will still need your own iPhone 4S.

Re:You still need iPhone 4S

Or use an open WiFi access point. I'd point out the iThingies send their UUID in a lot of requests to Apple servers over ordinary HTTP. I know this because I block it in Privoxy.

Re:You still need iPhone 4S

[bemymonkey]

There is nothing available on Android that's anywhere near as functional as Siri (seems to be in the ads). Voice recognition is OK (but largely dependent on the quality of your device - if the manufacturer [HTC, cough] used cheap mics, no chance), but unless you want to call someone or search Google, you're going to need to do it the old fashioned way.

And yes, I'm one of the rabid Android fanboys you seem to be encountering so often ;)

Re:You still need iPhone 4S

[Trogre]

Not that it's relevant to the argument at hand, but you might like to research the practice of back-firing, in relation to creating a firebreak, particularly with bushfires.

Re:Apple upending their Bucket o' Lawyers on this

[CmdrPony]

They are already sending everything with HTTPS. That's why the researchers had to use gateway machine and certificate tricks to do man-in-the-middle attack.

Re:Apple upending their Bucket o' Lawyers on this

[Fnord666]

Here is an easier solution, how about just send everything via HTTPS.

Apple is. From TFA:

Surprisingly, when we did, we wouldnâ(TM)t gather any traffic when using Siri. So we ressorted to using tcpdump on a network gateway, and we realised Siriâ(TM)s traffic was TCP, on port 443, to a server at 17.174.4.4.

The app even validated that the cert used was signed by a trusted CA. Fortunately the iphone4S allows you to add your own trusted CA to the trust chain.

Re:Slightly less impressed

[_xeno_]

Doing the processing on the server seems very slow to me - I can find a contact much faster by pressing the first few letters than waiting for the round-trip latency to siri.

Yep. It's extremely annoying, actually, because Siri replaces the existing voice commands. So doing something like "call brother" - which used to take maybe a half second - takes a good three seconds or so of lag time. More annoyingly is things like "play playlist driving songs" - first you have to wait for the three seconds round-trip processing, then you have to wait for the iPhone to decide which playlist that matches ("Looking for playlist driving songs," Siri says), then you have to wait for her to narrate "playing playlist driving songs" before the music actually starts.

Compare to the previous, non-Siri version:

"Play playlist driving songs."
(half-second pause) "Playing playlist driving songs." (music starts)

Yay progress. About the only thing I use Siri for is asking dumb questions and seeing what responses I get. For actual voice controls, it's - well, not useless, exactly, just obnoxiously slow.

Re:Slightly less impressed

[CharlyFoxtrot]

So turn it off : "If you wish to use Voice Control while you are not connected to the Internet, turn Siri off from Settings > General > Siri. Make sure to turn Siri back on when you have Internet connectivity and you wish to use it again."