Forgot your password?
typodupeerror
Apple

Siri Protocol Cracked 403

Posted by Unknown Lamer
from the siri-like-way-ogg-speex dept.
First time accepted submitter jisom writes with something that will probably not be working come morning. Quoting the source: "Today, we managed to crack open Siri's protocol. As a result, we are able to use Siri's recognition engine from any device. Yes, that means anyone could now write an Android app that uses the real Siri! Or use Siri on an iPad! And we're going to share this know-how with you." Basically, Siri sends the data to the processing server using non-standard HTTP extensions. Of note is that the audio is encoded using Ogg Speex.
This discussion has been archived. No new comments can be posted.

Siri Protocol Cracked

Comments Filter:
  • by CmdrPony (2505686) on Monday November 14, 2011 @11:39PM (#38055616)
    While you could write an Android app or anything else, the protocol sends an unique ID with the request. That ID is unique to every iPhone 4S. End result being, you can probably use your own for your personal use, but if you try to sell an App for Android and include your ID with it, Apple will just blacklist it. So you will still need your own iPhone 4S.
  • by ackthpt (218170) on Monday November 14, 2011 @11:44PM (#38055642) Homepage Journal

    3.. 2.. 1...

  • by RightwingNutjob (1302813) on Monday November 14, 2011 @11:49PM (#38055666)
    I thought it ran on the phone itself.
    • Re: (Score:3, Informative)

      by Anonymous Coward

      Ummmm.... no.... that would be why Siri fails so often due to network issues.

    • by Darinbob (1142669) on Monday November 14, 2011 @11:57PM (#38055724)

      That's what they wanted people to think. 99% of all phone apps have very little to do with the actual phone and instead they're just quick reference URLs to some external site that does most of the work. Of course they tie all the apps to the phone so that you can't bypass the store.

      • Re: (Score:3, Informative)

        by Anonymous Coward

        Apple has stated publicly that Siri uses Apple servers for processing. And observing the behavior of the device under lost network connection makes this quite obvious.

      • by Swanktastic (109747) on Tuesday November 15, 2011 @01:15AM (#38056228)

        Haha! They fooled you too. The dirty little secret is that Siri is actually a nice old lady in Delhi.

      • Re: (Score:3, Informative)

        by afabbro (33948)

        99% of all phone apps have very little to do with the actual phone and instead they're just quick reference URLs to some external site that does most of the work.

        No.

        You're claiming that out of 500,000-odd iPhone apps, only 5,000 are anything more than just "quick reference URLs to some external site that does most of the work"?

        There are more than 5,000 games in the iOS app store.

        There are probably 10,000 calculators, flashlight apps, and fart sound effect apps.

        Sure, some apps are as you describe, and many apps talk to the net, but 99% are not just "quick reference URLs".

    • by Psyborgue (699890) on Monday November 14, 2011 @11:58PM (#38055728) Homepage Journal
      Why would they waste the processing horsepower? It would eat the battery if it was even at all possible. They can do higher quality recognition on their servers anyway. The customer does not need to know where the processing is done as long as "it just works". To the consumer, and even some more technically inclined, it's magic -- and that is the real genius in the way Apple presents it's products. They make people feel like they're somehow in the future, that they're talking to an intelligent phone, that Saint Steve has somehow created artificial life and they get to own a piece of this future for the price of a modest chunk of change and a two year contract.
      • by aXis100 (690904) on Tuesday November 15, 2011 @12:03AM (#38055770)

        Doing the processing on the server seems very slow to me - I can find a contact much faster by pressing the first few letters than waiting for the round-trip latency to siri.

        Heaps of people have tried to demo siri to me and most of the time it was a gimick that failed badly - either was slower than manual methods or just innacurate.

        • by _xeno_ (155264) on Tuesday November 15, 2011 @01:11AM (#38056196) Homepage Journal

          Doing the processing on the server seems very slow to me - I can find a contact much faster by pressing the first few letters than waiting for the round-trip latency to siri.

          Yep. It's extremely annoying, actually, because Siri replaces the existing voice commands. So doing something like "call brother" - which used to take maybe a half second - takes a good three seconds or so of lag time. More annoyingly is things like "play playlist driving songs" - first you have to wait for the three seconds round-trip processing, then you have to wait for the iPhone to decide which playlist that matches ("Looking for playlist driving songs," Siri says), then you have to wait for her to narrate "playing playlist driving songs" before the music actually starts.

          Compare to the previous, non-Siri version:

          "Play playlist driving songs."
          (half-second pause) "Playing playlist driving songs." (music starts)

          Yay progress. About the only thing I use Siri for is asking dumb questions and seeing what responses I get. For actual voice controls, it's - well, not useless, exactly, just obnoxiously slow.

          • by R3d M3rcury (871886) on Tuesday November 15, 2011 @02:21AM (#38056508) Journal

            Of course, now you can say things like, "Boy, I'd love to hear some driving songs" or "Driving songs would sound good right about now." See? There's less of the "command" protocol and more like you're speaking to an actual person!

            Of course, the person you're talking to is a little slow. But that's better than having to use some specific syntax, right?

            (The above is sarcasm.)

          • by CharlyFoxtrot (1607527) on Tuesday November 15, 2011 @02:39AM (#38056586)

            So turn it off [apple.com] : "If you wish to use Voice Control while you are not connected to the Internet, turn Siri off from Settings > General > Siri. Make sure to turn Siri back on when you have Internet connectivity and you wish to use it again."

            • Re: (Score:3, Insightful)

              Given that Apple are touted as masters of seamless and intuitive user interface design, how come this process isn't automated? It would seem to me that it'd be pretty trivial to, at the very least, detect lack of network connectivity, and turn it off accordingly.

          • by cgenman (325138) on Tuesday November 15, 2011 @03:17AM (#38056736) Homepage

            It's terribly obnoxiously slow. It's also a lot broader than previous voice-command efforts. I set a baking timer by saying "Siri, set an alarm for twenty minutes from now." I had no idea that "twenty minutes from now" would be something that Siri understood. It just seemed like it would make sense. And it just worked. "Text my wife that I'll be about 10 minutes late" works too.

            Well, it works when the network is responding. And it works terribly slow. But it is really a step towards natural language understanding of voice. Or rather, unlike a lot of other efforts I feel like the phone is trying to understand me rather than the other way around.

    • The scam of Siri (Score:5, Insightful)

      by jmorris42 (1458) * <jmorris@[ ]u.org ['bea' in gap]> on Tuesday November 15, 2011 @12:00AM (#38055756)

      > I thought it ran on the phone itself.

      Nope, and that is the scam. Basically you are calling a service. Thus they could make Siri available on every iProduct with zero effort. That they decided to hold it as an exclusive feature for the 4S to try and create the 'gotta upgrade' stampede is truly lame. Keeping it to iProducts is ok, they ain't giving away a hefty compute farm after all, who do ya think they are after all, Google? But locking access to the service to one submodel of one product line is a terrible idea.

      • Re:The scam of Siri (Score:4, Informative)

        by Torodung (31985) on Tuesday November 15, 2011 @12:13AM (#38055834) Journal

        It's still a bit scammy, but I would guess they're using early adopters as a massive beta test before rolling it out to iLife in general, so rather than depriving anyone, they're being cautious and scaling up usage slowly. Think "Apple Newton," and it's reasonable to suspect the company may still be a little gun shy with this kind of tech. Even if it is running "in the cloud" instead of on the device, there's a whole lot that could go wrong with Siri [siriousfails.com]. (Page is for entertainment purposes only. Not to be construed as actual examples. I am a non-attorney spokesperson.)

        More than that, availability matters here, and they want the initial adopters to have a premium experience before they roll it out to the hoi polloi, and everything goes pear shape when they run into the usual scaling issues. You know, like the ones AT&T ran into with the first iPhones.

      • by bucky0 (229117)

        It's my understanding from reading the articles from a guy who managed to hack it onto the 3GS that the 4S actually has some pretty good voice canceling hardware onboard. Whether or not that's true, I can't say, but from the article I read, apparently things needed to be VERY quiet or the text-to-speech would fail hard.

      • by Shadowruni (929010) on Tuesday November 15, 2011 @01:08AM (#38056180) Journal
        Crickey! Loo' at that. We're very lucky! You almost never see a four digit this far from its native habitat of lurking. Ah she's a beaut!
      • by wvmarle (1070040)

        It also means that to have Siri work you have to pay for a data account (preferably an unlimited account - this will eat a lot of data if used frequently), as otherwise it will simply not work.

        This may be a non-issue for markets like the US where you can only get a phone in conjunction with a heavily overpriced contract that by default includes data, it is an issue for other markets where plans and phones are separated.

        I don't have a mobile data plan with my smart phone, don't see the need for it really,

    • by SeaFox (739806)

      Nope, that's why the carriers love it, too. Every time you use Siri you're drawing KBs on your (mostly likely) not-unlimited data plan.

  • So it's remote? (Score:3, Insightful)

    by Stormwatch (703920) <rodrigogirao AT hotmail DOT com> on Monday November 14, 2011 @11:52PM (#38055688) Homepage

    So the iPhone can't really do the speech recognition and synthesis by itself? That's quite underwhelming.

  • by nzac (1822298) on Monday November 14, 2011 @11:56PM (#38055716)

    Appears that Xiph came out on top for speech codecs.

    This also shortly after apple realized that ALAC was going to fail (at least as a closed source product, they may push it better as an open source project now it can be played by everyone).

    They still have the very entrenched AAC though.

    • by iluvcapra (782887)

      They don't have AAC. AAC is an MPEG-4 standard invented and licensed to MPEG-LA by the only company that could ever out-Apple Apple on IP, Dolby Laboratories.

    • by pipedwho (1174327) on Tuesday November 15, 2011 @12:17AM (#38055860)

      Isn't AAC just the MPEG4 version of what we know as mp3 (which is really just MPEG1/Audio layer 3)? There are already many open source implementations of AAC, so I don't see it as the same thing.

      The real problem with AAC is the MPEG patent swamp. Even if Apple were to release an open source codec, it would still be under the same shadow that hangs over anyone that isn't lining the pockets of the MPEG licensing body.

    • by Guy Harris (3803)

      Appears that Xiph came out on top for speech codecs.

      ...in the opinion of a spin-off from SRI; it might've been easier for them to go with an open source codec than to license a non-open-source codec. Remember, Apple bought the company that developed Siri; they didn't develop it themselves from Day One.

      I'm not saying that the availability of the codec as open source was one of the reasons for the choice and that, if the open-source availability weren't an advantage, it would have lost to some closed-source codec; I'm just saying that one shouldn't assume th

    • by bhcompy (1877290) on Tuesday November 15, 2011 @01:10AM (#38056192)
      Yet the music player still doesn't support Ogg Vorbis.
      • by nzac (1822298)

        Thus since iTunes and iPods have the vast majority of the market share makes it so entrenched that it won't be changing any-time soon.

    • Apple bought Siri (Score:5, Insightful)

      by dutchwhizzman (817898) on Tuesday November 15, 2011 @01:18AM (#38056234)
      There's an awfully big chance the codec was determined and implemented way before Apple even touched the product.
      • by nzac (1822298) on Tuesday November 15, 2011 @01:40AM (#38056320)

        I would think a general purpose speech codec would not be so hard coded into a product it could not be swapped out in a couple of days. I dont think there is speech recognition optimisation built in.

        Unless they are going to change it (which since its still in beta they could do), its a win no matter how it got there.

  • Nothing new (Score:5, Funny)

    by CanEHdian (1098955) on Tuesday November 15, 2011 @12:04AM (#38055776)
    I knew this long ago... I just asked "Siri, what protocols are you using to communicate with your server?"
  • Command: (Score:5, Funny)

    by PowerCyclist (2058868) on Tuesday November 15, 2011 @12:06AM (#38055786) Homepage
    "Siri, Don't sue. Confirm.", Siri, "I'm afraid I can't do that Dave."
    • "Siri, Don't sue. Confirm.", Siri, "I'm afraid I can't do that Dave."

      That's fine and all, but my name is not Dave..

  • Would Apple mind? (Score:5, Insightful)

    by fluffy99 (870997) on Tuesday November 15, 2011 @12:08AM (#38055792)

    If Apple is learning anything from Google, it's that customer info is valuable. Siri could easily become an advertising platform that rivals Google. Targeted advertising, where companies pay Apple for premium listings ( eg Asking Siri about a Pizza place returns Pizza Hut who paid the most for that key word).

    If that's their angle, they might welcome more traffic to Siri.

    • by cowboy76Spain (815442) on Tuesday November 15, 2011 @04:41AM (#38057114)

      If Apple is learning anything from Google, it's that customer info is valuable. Siri could easily become an advertising platform that rivals Google. Targeted advertising, where companies pay Apple for premium listings ( eg Asking Siri about a Pizza place returns Pizza Hut who paid the most for that key word).

      If that's their angle, they might welcome more traffic to Siri.

      <sarcasm>Yes, they are so thrilled by it. They wanted that everyone could connect to their servers, but they did not know how to make their protocols public. Being hacked has solved that problem!...</sarcasm>

      What this crack means (unless has additional security measures) is that Siri will need a lot more of processing power and, what is worse, there is no way to predict how much power it will need now. Without getting to dip into related profits (selling of hardware / associated programs / etc). I bet they are doing a party right now just to celebrate!

      Seriously, WTF? The crack does not give anything interesting/new away, just puts a third party in a position where it can be abused. If the people behind Siri wanted everyone to connect, they could have stated that themselves. Those are two very simple thoughts that everyone in /. could understand, yet they instead just follow the most retorted logic to justify it.

      At least we are not discussing crimes here. If talking about murders, I bet some of you would posts things like "Thanks to the serial killer that murdered his wife and children, now he can chose a new wife and have more kids!"

  • by n5vb (587569) on Tuesday November 15, 2011 @12:12AM (#38055830)
    .. can you ask Siri "where to hide a body" before a backend notification gets emailed to a detective at your local PD?
  • by AndrewStephens (815287) on Tuesday November 15, 2011 @12:52AM (#38056094) Homepage

    TFA is actually pretty interesting:

    As you know, the “S” in HTTPS stands for “secure” : all traffic between a client and an https server is ciphered. So we couldn’t read it using a sniffer. In that case, the simplest solution is to fake an HTTPS server, use a fake DNS server, and see what the incoming requests are. Unfortunately, the people behind Siri did things right : they check that guzzoni’s certificate is valid, so you cannot fake it. Well they did check that it was valid, but thing is, you can add your own “root certificate”, which lets you mark any certificate you want as valid.

    Some Apple software (parts of iTunes) goes further and checks that the certificate presented by the server is actually signed by Apple. If the Siri software did this then the server would be impossible to fake man-in-middle-wise without hacking the client itself. Just checking that the certificate is valid is pretty useless protection - any certificate could be valid, what you care about is whether the server is who it says it is.

    • by jibjibjib (889679) on Tuesday November 15, 2011 @01:50AM (#38056382) Journal

      It's not a "pretty useless protection". It's not just checking that the certificate is valid, it's also checking that the certificate authority has a corresponding root certificate installed on the iPhone. It stops anyone who doesn't have access to the phone from eavesdropping or manipulating the data.

      • I think you have missed my point. If the certificate is signed by some random authority it is "valid" but that only says that the authority (whoever that is) trusts the server. If the client did as it should (and what other Apple apps do), then it should check that the certificate is signed by a authority that it can check directly using the authority's public key built into the client.

        That way it would be impossible to spoof the server and perform man-in-the-middle attack without either a) knowing the priv

  • by pavera (320634) on Tuesday November 15, 2011 @12:59AM (#38056138) Homepage Journal

    I knew they were doing some heavy lifting on the server side, cause obviously it doesn't work without a network connection.

    However, I figured they would at least do an initial processing pass on the phone and pass up the data points to the server instead of the raw audio. That at least would make sense, and you'd be able to pass much smaller amounts of data. It would also explain the need to have better hardware on the phone. Sending the raw audio seems insane.

  • wow (Score:5, Insightful)

    by buddyglass (925859) on Tuesday November 15, 2011 @01:23AM (#38056252)
    It seems fairly ill-advised for a company whose business is developing iOS apps to post their reverse engineering exploits on the corporate blog.
  • by StripedCow (776465) on Tuesday November 15, 2011 @06:24AM (#38057666)

    I don't understand these hackers, they only promote the lock-in policies of Apple. Because having Siri for a while may lure more users to Apple. After a while, Apple will just close the hole by using the UID's of the phone, like others mentioned, or some kind of unbreakable private-key cryptosystem.

    Further, all those jailbreaking tools which are available just give Apple users a reason to say "hey, I'm not locked in, I can always jailbreak my device".

    While you can root your device now, it does not mean you can root it forever. Apple devs are smart enough to make the system close to unbreakable, because cryptography is not that hard, and by the way, they are baking their own ICs now.

    So I think Apple is just happy with this (relatively small) jailbreaking scene, just like Microsoft was happy with their software being illegally copied for a long while.

Things are not as simple as they seems at first. - Edward Thorp

Working...