Slashdot Mirror


Siri Protocol Cracked

First time accepted submitter jisom writes with something that will probably not be working come morning. Quoting the source: "Today, we managed to crack open Siri's protocol. As a result, we are able to use Siri's recognition engine from any device. Yes, that means anyone could now write an Android app that uses the real Siri! Or use Siri on an iPad! And we're going to share this know-how with you." Basically, Siri sends the data to the processing server using non-standard HTTP extensions. Of note is that the audio is encoded using Ogg Speex.

3 of 403 comments (clear)

  1. Re:Slightly less impressed by aXis100 · · Score: 5, Interesting

    Doing the processing on the server seems very slow to me - I can find a contact much faster by pressing the first few letters than waiting for the round-trip latency to siri.

    Heaps of people have tried to demo siri to me and most of the time it was a gimick that failed badly - either was slower than manual methods or just innacurate.

  2. Re:You still need iPhone 4S by Odin_Zifer · · Score: 5, Interesting

    If some one where to gather a couple dozen unique ID's they could use those to setup a Siri relay service.

  3. A lesson in client/server security by AndrewStephens · · Score: 5, Interesting

    TFA is actually pretty interesting:

    As you know, the “S” in HTTPS stands for “secure” : all traffic between a client and an https server is ciphered. So we couldn’t read it using a sniffer. In that case, the simplest solution is to fake an HTTPS server, use a fake DNS server, and see what the incoming requests are. Unfortunately, the people behind Siri did things right : they check that guzzoni’s certificate is valid, so you cannot fake it. Well they did check that it was valid, but thing is, you can add your own “root certificate”, which lets you mark any certificate you want as valid.

    Some Apple software (parts of iTunes) goes further and checks that the certificate presented by the server is actually signed by Apple. If the Siri software did this then the server would be impossible to fake man-in-middle-wise without hacking the client itself. Just checking that the certificate is valid is pretty useless protection - any certificate could be valid, what you care about is whether the server is who it says it is.

    --
    sheep.horse - does not contain information on sheep or horses.