Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Use Siri To Steal Data From iPhones

Posted by samzenpus on from the protect-ya-neck dept.

wiredmikey writes "Using Apple's voice-activated Siri function, security researchers have managed to steal sensitive information from iOS smartphones in a stealthy manner. Luca Caviglione of the National Research Council of Italy and Wojciech Mazurczy of the Warsaw University of Technology warn that malicious actors could use Siri for stealthy data exfiltration by using a method that's based on steganography, the practice of hiding information. Dubbed "iStegSiri" by the researchers, the attack can be effective because it doesn't require the installation of additional software components and it doesn't need the device's alteration. On the other hand, it only works on jailbroken devices and attackers somehow need to be able to intercept the modified Siri traffic. The attack method involves controlling the "shape" of this traffic to embed sensitive data from the device. This covert channel could be used to send credit card numbers, Apple IDs, passwords, and other sensitive information from the phone to the criminal mastermind, researchers said in their paper.

8 of 55 comments (clear)

  1. Only works on jailbroken devices by Anonymous Coward · · Score: 4, Insightful

    Nothing to see here, move along.

    1. Re:Only works on jailbroken devices by Anonymous Coward · · Score: 4, Insightful

      Right, this effectively boils down to "if you install a root kit on a device, bad things can happen"... No shit sherlock.

  2. Requirement to have compromised device by Rosyna · · Score: 5, Insightful

    So in order for this to work, an iOS device must already be compromised with a jailbreak? Why is that news?

    1. Re:Requirement to have compromised device by Impy+the+Impiuos+Imp · · Score: 3, Interesting

      And it's just "currently". Breaking into unjailbroken phones or taking advantage of bugs is the main game already.

      Interesting this -- they alter an audio such that it's Apple-encrypted path to the Siri server can be analyzed to extrace the hidden data without decrypting the stream.

      I often wondered about a similar thing, if a server could pulse data it sends encrypted, which would allow tracking through any layers of encryption. Say goodbye to tor & friends. You'd uave to add random delay to data at each node.

      --
      (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
  3. Huh? by Ecuador · · Score: 5, Insightful

    it doesn't require the installation of additional software components and it doesn't need the device's alteration.

    On the other hand, it only works on jailbroken devices

    Too bad jailbraking actually requires the device's alteration / installation of additional software components...

    --
    Violence is the last refuge of the incompetent. Polar Scope Align for iOS
  4. Big deal out of nothing by thetoadwarrior · · Score: 4, Insightful

    It's interesting but hardly a concern given the requirements to make it work.

  5. Doomed, I say by ctime · · Score: 5, Insightful

    Jailbroken phone susceptible to data ex-filtration while on special malicious network?? Apple is dying.

  6. Same group of researchers... by BadPirate · · Score: 3, Funny

    ... That discovered that the Scalage security deadbolts have been compromised, and can be unlocked without the use of a key! Assuming of course you are inside the house.

    --
    - Holy crap, I've got MOD points! Who thought that was a good idea.