Researchers Use Siri To Steal Data From iPhones

wiredmikey writes "Using Apple's voice-activated Siri function, security researchers have managed to steal sensitive information from iOS smartphones in a stealthy manner. Luca Caviglione of the National Research Council of Italy and Wojciech Mazurczy of the Warsaw University of Technology warn that malicious actors could use Siri for stealthy data exfiltration by using a method that's based on steganography, the practice of hiding information. Dubbed "iStegSiri" by the researchers, the attack can be effective because it doesn't require the installation of additional software components and it doesn't need the device's alteration. On the other hand, it only works on jailbroken devices and attackers somehow need to be able to intercept the modified Siri traffic. The attack method involves controlling the "shape" of this traffic to embed sensitive data from the device. This covert channel could be used to send credit card numbers, Apple IDs, passwords, and other sensitive information from the phone to the criminal mastermind, researchers said in their paper.

Re:Requirement to have compromised device

[Impy+the+Impiuos+Imp]

And it's just "currently". Breaking into unjailbroken phones or taking advantage of bugs is the main game already.

Interesting this -- they alter an audio such that it's Apple-encrypted path to the Siri server can be analyzed to extrace the hidden data without decrypting the stream.

I often wondered about a similar thing, if a server could pulse data it sends encrypted, which would allow tracking through any layers of encryption. Say goodbye to tor & friends. You'd uave to add random delay to data at each node.