Researchers Use Siri To Steal Data From iPhones

← Back to Stories (view on slashdot.org)

Researchers Use Siri To Steal Data From iPhones

Posted by samzenpus on Monday January 19, 2015 @11:03AM from the protect-ya-neck dept.

wiredmikey writes "Using Apple's voice-activated Siri function, security researchers have managed to steal sensitive information from iOS smartphones in a stealthy manner. Luca Caviglione of the National Research Council of Italy and Wojciech Mazurczy of the Warsaw University of Technology warn that malicious actors could use Siri for stealthy data exfiltration by using a method that's based on steganography, the practice of hiding information. Dubbed "iStegSiri" by the researchers, the attack can be effective because it doesn't require the installation of additional software components and it doesn't need the device's alteration. On the other hand, it only works on jailbroken devices and attackers somehow need to be able to intercept the modified Siri traffic. The attack method involves controlling the "shape" of this traffic to embed sensitive data from the device. This covert channel could be used to send credit card numbers, Apple IDs, passwords, and other sensitive information from the phone to the criminal mastermind, researchers said in their paper.

55 comments

Min score:

Reason:

Sort:

Only works on jailbroken devices by Anonymous Coward · 2015-01-19 11:04 · Score: 4, Insightful

Nothing to see here, move along.
1. Re:Only works on jailbroken devices by Anonymous Coward · 2015-01-19 11:30 · Score: 1
  
  Jailbroken devices are in the low single digit percentage of all iOS devices, but so is Linux on the desktop so yes actually it is a concern.
2. Re:Only works on jailbroken devices by Anonymous Coward · 2015-01-19 12:11 · Score: 4, Insightful
  
  Right, this effectively boils down to "if you install a root kit on a device, bad things can happen"... No shit sherlock.
3. Re:Only works on jailbroken devices by Anonymous Coward · 2015-01-19 13:48 · Score: 0
  
  More like low fractions of a percent.
4. Re: Only works on jailbroken devices by StuartHankins · 2015-01-19 16:26 · Score: 0
  
  Please mod up. This doesn't affect most users.
5. Re: Only works on jailbroken devices by StuartHankins · 2015-01-19 16:27 · Score: 0
  
  Please mod up. This doesn't affect the vast majority of users.
6. Re:Only works on jailbroken devices by Anonymous Coward · 2015-01-19 19:20 · Score: 0
  
  Are you claiming that a stolen device can't be jailbroken because it seems to me that it is therein the problem lies?
  What the iPhone users need to know is if they need to keep track of their phone as much as they do with their wallet.
  If your phone getting stolen and jailbroken leads to your credit card being abused then you might be a bit more reluctant to leaving your phone in the charger.
  What risk do you take when you leave your device on the table at the pub while you turn around to talk to an acquaintance for a minute? Is it just the risk of a gadget or do you risk your life being turned upside down?
7. Re:Only works on jailbroken devices by AmiMoJo · 2015-01-20 01:00 · Score: 2
  
  Around 30-35% of iPhones in China are jailbroken, if reports are to be believed. In any case, the jailbreaking tools get millions of downloads, so there are definitely a large number of people at risk.
  While you make an interesting point it ignores the wider issues. People claim Android is insecure even though all of the malware needs you to enable installing from .apk files, and much of it needs root. At least on Android you can legitimately use other app stores like Amazon's, and even rooting your phone doesn't open it up to these kinds of exploits because the root system is basically the Linux su command with a GUI and all the protections that come with it.
  I agree that it isn't as bad as the summary makes out, but it is still an interesting issue.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
8. Re:Only works on jailbroken devices by Anonymous Coward · 2015-01-20 04:59 · Score: 0
  
  I have a hard enough time getting Siri to access the data she's supposed to.. so good luck with that.
9. Re:Only works on jailbroken devices by Anonymous Coward · 2015-01-20 18:16 · Score: 0
  
  Who cares how many iPhones in China are jailbroken? What's the point in singling out that group?
  Most estimates put the overall percentage of jailbroken iDevices somewhere south of 10%.
10. Re:Only works on jailbroken devices by Plumpaquatsch · 2015-01-21 08:14 · Score: 1
  
  Around 30-35% of iPhones in China are jailbroken, if reports are to be believed. In any case, the jailbreaking tools get millions of downloads,
  Compared to over a hundred million iPhones sold each year? Yeah , whatever.
  
  --
  Of course news about a fake are Fake News.
Requirement to have compromised device by Rosyna · 2015-01-19 11:06 · Score: 5, Insightful

So in order for this to work, an iOS device must already be compromised with a jailbreak? Why is that news?
1. Re:Requirement to have compromised device by Anonymous Coward · 2015-01-19 11:22 · Score: 0
  
  It'd have to compromise our man-bags too.
2. Re:Requirement to have compromised device by Anonymous Coward · 2015-01-19 11:23 · Score: 1
  
  Because a non-trivial number of iPhone users jailbreak their devices?
3. Re:Requirement to have compromised device by Impy+the+Impiuos+Imp · 2015-01-19 11:31 · Score: 3, Interesting
  
  And it's just "currently". Breaking into unjailbroken phones or taking advantage of bugs is the main game already.
  Interesting this -- they alter an audio such that it's Apple-encrypted path to the Siri server can be analyzed to extrace the hidden data without decrypting the stream.
  I often wondered about a similar thing, if a server could pulse data it sends encrypted, which would allow tracking through any layers of encryption. Say goodbye to tor & friends. You'd uave to add random delay to data at each node.
  
  --
  (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
4. Re:Requirement to have compromised device by AK+Marc · 2015-01-19 11:58 · Score: 1
  
  How many is "non trivial"? With things lik https://www.techinasia.com/chi... seems that jailbreaking is no longer as necessary as before.
  
  --
  Learn to love Alaska
5. Re:Requirement to have compromised device by TrancePhreak · 2015-01-19 12:20 · Score: 1
  
  iOS web vulnerabilities that auto-jailbreak and install backdoors? It's never happened, but I do believe it's possible: http://www.securityweek.com/mo...
  
  --
  
  -]Phreak Out[-
6. Re:Requirement to have compromised device by Anonymous Coward · 2015-01-19 12:32 · Score: 0
  
  if a server could pulse data it sends encrypted, which would allow tracking through any layers of encryption. Say goodbye to tor
  http://yro.slashdot.org/story/...
  
  uses a technique which injects a repeating traffic pattern into the TCP connection associated with an exit node, and then compares subsequent aberrations in network timing with the traffic flow records
  Known attack, is successful. NSA apologists are all "nawwww TOR is just fine, carry on folks. you have to own the router of your target to get this information, ignore PRISM tracking every connection everywhere, blah blah blah"
7. Re:Requirement to have compromised device by Eythian · 2015-01-19 12:36 · Score: 1
  
  It has happened, there used to be a site called (something like) jailbreakme that would escape the safari sandbox and jailbreak your iphone. In this case, you had to press a button to confirm, but I think that was simply politeness. I'd bet there were malicious uses of it in the wild too.
8. Re:Requirement to have compromised device by gl4ss · 2015-01-19 16:09 · Score: 1
  
  if you have code already running on the phone it's trivial to send data out from the device.
  the article is stupid. the researcher is double stupid, only looking for to make a stir with a fucking stupid write up that deliberately claims that something people use daily is compromised. it's deceitful journalism/research. the researcher should be hit on the toes with a hammer.
  next up: "google chrome can be used to send data out from a computer maliciously.... ....from a computer you already have root access on"!
  
  --
  world was created 5 seconds before this post as it is.
9. Re:Requirement to have compromised device by ArcadeMan · 2015-01-19 17:52 · Score: 1
  
  And what is your source for this "non-trivial number"? Your nerd friends don't represent the majority of users.
  
  --
  Get free satoshi (Bitcoin) and Dogecoins
10. Re:Requirement to have compromised device by Anonymous Coward · 2015-01-20 01:16 · Score: 1
  
  Your nerd friends don't represent the majority of users.
  Ha! The jokes on you. I don't have any friends.
Huh? by Ecuador · 2015-01-19 11:06 · Score: 5, Insightful

it doesn't require the installation of additional software components and it doesn't need the device's alteration.

On the other hand, it only works on jailbroken devices
Too bad jailbraking actually requires the device's alteration / installation of additional software components...

--
Violence is the last refuge of the incompetent. Polar Scope Align for iOS
Big deal out of nothing by thetoadwarrior · 2015-01-19 11:11 · Score: 4, Insightful

It's interesting but hardly a concern given the requirements to make it work.
1. Re:Big deal out of nothing by _Sharp'r_ · 2015-01-20 02:24 · Score: 1
  
  Yeah, I'm waiting for someone to run a broadcast radio or TV advertisement that says something like "Hey Siri, Call 703 555 1212 (pay per call line) or "Hey Siri, Directions to XYZ business", or even "Hey Siri, search for malicious iPhone jailbreak website". You can also substitute in "Ok Google" as well to catch android phones...
  
  --
  The party of stupid and the party of evil get together and do something both stupid and evil, then call it bipartisan.
Doomed, I say by ctime · 2015-01-19 11:12 · Score: 5, Insightful

Jailbroken phone susceptible to data ex-filtration while on special malicious network?? Apple is dying.
1. Re:Doomed, I say by macs4all · 2015-01-20 09:45 · Score: 1
  
  Jailbroken phone susceptible to data ex-filtration while on special malicious network?? Apple is dying.
  Mods: +5 Insightful. REALLY?!?
Re:Raise the Iron Curtain! by Anonymous Coward · 2015-01-19 11:16 · Score: 0

DAFUQ?
Same group of researchers... by BadPirate · 2015-01-19 11:33 · Score: 3, Funny

... That discovered that the Scalage security deadbolts have been compromised, and can be unlocked without the use of a key! Assuming of course you are inside the house.

--
- Holy crap, I've got MOD points! Who thought that was a good idea.
1. Re:Same group of researchers... by Anonymous Coward · 2015-01-19 14:53 · Score: 0
  
  How would you use the key from inside the house?
mandatory apple story by Swampash · 2015-01-19 11:35 · Score: 0

Gotta meet those quotas for SEO whoring.
Consistency by LMariachi · 2015-01-19 11:47 · Score: 0

"Steal," huh? Everyone gets all adamant about drawing a distinction between theft and copyright violation when we're talking about the MAFIAAs; can we please apply a consistent standard to cases when it's ordinary users being "stolen" from?
1. Re:Consistency by Actually,+I+do+RTFA · 2015-01-19 11:53 · Score: 1
  
  Everyone gets all adamant about drawing a distinction between theft and copyright violation when we're talking about the MAFIAAs; can we please apply a consistent standard to cases when it's ordinary users being "stolen" from
  Well, the difference is actually important. In one case, the data is being published and intended to be published, it's just a matter of optimizing compensation models. That is, the reason people object to copyright infringement is the potential loss of a sale. . In the other, the person's privacy is being breached, so something is in fact getting lost.
  Or, to use an analog, it's the difference between sharing photos that were in Playboy, and sharing photo's copied off an unsuspecting person's device.
  
  --
  Your ad here. Ask me how!
2. Re: Consistency by Anonymous Coward · 2015-01-19 12:00 · Score: 0
  
  so if your photos end up in Playboy what does that mean? Your analogy sucks idiot
3. Re:Consistency by AK+Marc · 2015-01-19 12:46 · Score: 1
  
  "stolen" is taken in a manner that causes a permanent loss, denying the owner the benefit of it. Stealing a movie isn't stealing because they can still sell it another million times. But stealing an identity does deny the previous owner the use of it. That identity no longer "works" so the previous owner must spend real money to create it again. That's a provable loss. Not the same as if I copy a movie in my house, and give a copy to my family, the movie makers would never know, so know "loss" can be recorded.
  
  --
  Learn to love Alaska
4. Re:Consistency by LMariachi · 2015-01-19 13:22 · Score: 1
  
  So whether it's stealing depends on if the victim notices? Pickpockets of the world rejoice.
5. Re:Consistency by AK+Marc · 2015-01-19 13:47 · Score: 1
  
  Actually, yes. That's why Grand Theft Auto is separately defined. As stealing a car with the intention of running it out of gas on a joyride is not "theft" by the legal definition of the word. If it's not a permanent "loss", then it isn't theft. A non-loss can't be a theft. And a taking intended to be temporary is also not theft.
  
  I know it confuses you that the legal definition doesn't match your desired emotional use of the word. But reality doesn't bend to your will.
  
  --
  Learn to love Alaska
6. Re:Consistency by LMariachi · 2015-01-19 17:29 · Score: 1
  
  stealing a car with the intention of running it out of gas on a joyride is not "theft" by the legal definition of the word
  I don't know what kind of bizarro legal system you live under, but it's not one I've ever heard of. Whether something is considered theft/larceny/stealing doesn't hinge on whether the property is eventually recovered. But this is veering offtopic, and I've already been modded down for that once in this thread, so good night.
7. Re:Consistency by AK+Marc · 2015-01-19 19:33 · Score: 1
  
  Name your jurisdiction. Mine is valid in Texas and Alaska (the two places in the US I've lived longest, and yes, I read law for fun in my spare time, started as a kid when I'd spend some school breaks at my dad's legal practice).
  
  But this is veering offtopic, and I've already been modded down for that once in this thread, so good night.
  Your attack on "theft" that was factually and legally wrong was rightly modded down, but an on-topic discussion 6 deep (on topic because the discussion is about the definition of a word in the title of the submission) won't get you modded down. Sounds more like you are willfully ignorant of the definition of "theft" so you can bash others you don't like. That is what got you modded down, and will when you do it again. Good day.
  
  --
  Learn to love Alaska
8. Re:Consistency by gl4ss · 2015-01-19 20:49 · Score: 1
  
  you might want to check up on that.
  "unauthorized use" or similars are used in pretty much all of the west for.. well, unauthorized use, like joyriding. if the joyriding ends up destroying it then it's destroying of property..
  you know how destroying property isn't theft as such.
  why the distinctions? because usually it's more "bad" if the crime is done with profit in mind (like reselling the car)
  
  --
  world was created 5 seconds before this post as it is.
9. Re:Consistency by gnupun · 2015-01-19 23:44 · Score: 1
  
  Stealing a movie isn't stealing because they can still sell it another million times.
  This same old canard from the anti-IP and freeloaders association. If you can legally watch that movie without paying, why should anyone else be required to pay? And if no one pays, how will the movie producer generate revenue to even cover the cost of making the movie, let alone profit? If someone loses profit because of unethical and illegal actions of another, it's a crime. So copying that movie is a crime.
  Here's webster's definition for stealing as applied to non-tangible goods such as IP:
  
  to wrongly take and use (another person's idea, words, etc.)
10. Re:Consistency by gnasher719 · 2015-01-20 01:56 · Score: 1
  
  I don't know what kind of bizarro legal system you live under, but it's not one I've ever heard of. Whether something is considered theft/larceny/stealing doesn't hinge on whether the property is eventually recovered. But this is veering offtopic, and I've already been modded down for that once in this thread, so good night.
  In Germany, when the very first "theft" of electricity happened (connecting to the neighbour's power cable and having him pay for the electricity bill), it turned out that this was according to the existing laws no theft, and a new law was added. Fraud laws had to be changed because of computer fraud; before that fraud had the legal requirement that a _person_ had to be given false information and with careful construction a computer could be defrauded without giving false information to any person.
11. Re:Consistency by AK+Marc · 2015-01-20 05:31 · Score: 1
  
  If someone loses profit because of unethical and illegal actions of another, it's a crime.
  Holy circular reasoning. It's a crime because it's illegal. Oh, and copyright violation isn't usually a "crime" but a "tort", well, for most copyright infringement.
  
  So yelling "fire" in a theater isn't criminal negligence (trying to cause harm to others through lie/fraud), but theft, if any of those patrons leave because of the "fire" and request their money back. The person yelling "fire" stole from the theater and movie makers by his actions causing a loss of profit from the movie theater. Would it matter if the person requesting a refund bought popcorn?
  
  Here's webster's definition for stealing as applied to non-tangible goods such as IP:
  When you are using words like "illegal" and "crime" you should stick to the legal definitions. Shopping dictionaries to find the one definition you like doesn't work in court. I'm using the legal definition, and no, taking a websters dictionary into court won't sway the judge.
  
  Texas Penal Code Title 7, Section 31
  
  THEFT. (a) A person commits an offense if he unlawfully appropriates property with intent to deprive the owner of property.
  
  "Appropriate" means: (A) to bring about a transfer or purported transfer of title to or other nonpossessory interest in property, whether to the actor or another; or (B) to acquire or otherwise exercise control over property other than real property.
  "Deprive" means: (A) to withhold property from the owner permanently or for so extended a period of time that a major portion of the value or enjoyment of the property is lost to the owner;
  If you are in Texas, that is the *only* valid definition of theft. It's literally defined bylaw. And before you ask, it's nearly identical everywhere. I've looked.
  
  --
  Learn to love Alaska
Siri, what's my password? by Anonymous Coward · 2015-01-19 13:38 · Score: 0

Beep - Beep.
Your password is 123456
And by Ol+Olsoc · 2015-01-19 15:01 · Score: 1

If someone had the password to my computer, in it's locked room, the encryption password for my encrypted drive, and personal access to my airgapped computer, they could steal everything I have!
How can we stop this egregious security issue!
Every single aspect of computing is unsecure if you add enough caveats.

--
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
Stealing is Bad by Anonymous Coward · 2015-01-19 16:01 · Score: 0

No Yipppppeeesss.
May we change the title? by riskkeyesq · 2015-01-19 16:51 · Score: 1

Perhaps to something more descriptive. I suggest: "Here's another way that you can't hack a properly maintained iPhone, but thanks for the clicks".
Questionable research by CaptQuark · 2015-01-19 19:51 · Score: 2

In their experiments, Mazurczy and Caviglione managed to use this method to exfiltrate data at a rate of 0.5 bytes per second. At this speed, it would take roughly 2 minutes to send a 16-digit payment card number to the attacker.
2 minutes? One byte every 2 seconds for 16 characters should be 32 seconds. Plus, since they can control the encoding, they could send card numbers using only a nibble, so they could send all 16 numbers in 16 seconds.

Either the original (non-posted) research showed ALL card information could be sent in 2 minutes, or they realized Siri communications are so short they would need multiple requests to get a full 30 seconds of sent audio. Sadly, the original information is not posted so the math discrepancy remains puzzling.

~~
1. Re:Questionable research by Actually,+I+do+RTFA · 2015-01-20 05:59 · Score: 1
  
  My assumption is they meant complete payment information for a credit card. So 16 digits, plus 3 digit code, plus expiration date, plus name on card (maybe plus zip code??). It could easily be 60 characters on average, and although most of that is numeric information that could be highly compressed, that could easily be the costs of a naive implementation.
  
  --
  Your ad here. Ask me how!
Sponsored by Apple ? by Zoxed · 2015-01-19 23:19 · Score: 1

Any chance the research was sponsored by Apple to make people more afraid of jail breaking ?
Can you say stingray? by TheCarp · 2015-01-20 02:57 · Score: 1

> On the other hand, it only works on jailbroken devices and attackers somehow need to be able to intercept the
> modified Siri traffic.
So basically, its useful if you can run a stingray and most effective against more sophisticated users who jailbreak their phones (yet still use siri). Nice, real nice.

--
"I opened my eyes, and everything went dark again"
JitterBug by brianerst · 2015-01-20 03:39 · Score: 1

This reminds me of the JitterBug that got a lot of press back in 2006. It required such a ridiculous set of preconditions, it managed to be one of my dozen or so entries on my "dumb studies" blog. (Which is proof that I'm just as dumb - a blog about dumb studies?)
That's a lot of "ifs". by wcrowe · 2015-01-20 04:35 · Score: 1

I suppose this might be interesting to some people, but when it says, "it only works on jailbroken devices and attackers somehow need to be able to intercept the modified Siri traffic", well, that's a lot of "ifs" in there. It's sort of like walking up to someone and saying, "Can you make elephant soup?" And they reply, "Sure I can. First, I need an elephant. Then I need to chop the elephant into small pieces..." I mean, I guess, technically, someone can make elephant soup, but not that easily.

--
Proverbs 21:19