Siri Protocol Cracked

First time accepted submitter jisom writes with something that will probably not be working come morning. Quoting the source: "Today, we managed to crack open Siri's protocol. As a result, we are able to use Siri's recognition engine from any device. Yes, that means anyone could now write an Android app that uses the real Siri! Or use Siri on an iPad! And we're going to share this know-how with you." Basically, Siri sends the data to the processing server using non-standard HTTP extensions. Of note is that the audio is encoded using Ogg Speex.

Re:Slightly less impressed

[aXis100]

Doing the processing on the server seems very slow to me - I can find a contact much faster by pressing the first few letters than waiting for the round-trip latency to siri.

Heaps of people have tried to demo siri to me and most of the time it was a gimick that failed badly - either was slower than manual methods or just innacurate.

Re:You still need iPhone 4S

[Odin_Zifer]

If some one where to gather a couple dozen unique ID's they could use those to setup a Siri relay service.

Re:You still need iPhone 4S

[inflex]

Genuine question... couldn't you just get the GUIDs of existing valid iPhones?

A lesson in client/server security

[AndrewStephens]

TFA is actually pretty interesting:

As you know, the “S” in HTTPS stands for “secure” : all traffic between a client and an https server is ciphered. So we couldn’t read it using a sniffer. In that case, the simplest solution is to fake an HTTPS server, use a fake DNS server, and see what the incoming requests are. Unfortunately, the people behind Siri did things right : they check that guzzoni’s certificate is valid, so you cannot fake it. Well they did check that it was valid, but thing is, you can add your own “root certificate”, which lets you mark any certificate you want as valid.

Some Apple software (parts of iTunes) goes further and checks that the certificate presented by the server is actually signed by Apple. If the Siri software did this then the server would be impossible to fake man-in-middle-wise without hacking the client itself. Just checking that the certificate is valid is pretty useless protection - any certificate could be valid, what you care about is whether the server is who it says it is.

Re:Win for Xiph (and open source)

[mug funky]

it's a consortium. Dolby developed AC-3, and some tools they've developed are no doubt in the AAC spec, but AAC is essentially mp3 without the filterbank (which of course changed it a ton), and some nice features like long-term prediction, noise substitution etc etc.

Re:The scam of Siri

[InterruptDescriptorT]

Crickey! Loo' at that. We're very lucky! You almost never see a four digit this far from its native habitat of lurking. Ah she's a beaut!

Can this become a new Slashdot meme, please?

Re:Slightly less impressed

[Fallingcow]

Apple's actually pretty quick to reject apps for not offering enough functionality over a website. Simply embedding a site in a webview and calling it an app (what was implied to be happening upthread) is pretty much a 100% guaranteed way to get your app rejected.

Re:Slightly less impressed

[cgenman]

It's terribly obnoxiously slow. It's also a lot broader than previous voice-command efforts. I set a baking timer by saying "Siri, set an alarm for twenty minutes from now." I had no idea that "twenty minutes from now" would be something that Siri understood. It just seemed like it would make sense. And it just worked. "Text my wife that I'll be about 10 minutes late" works too.

Well, it works when the network is responding. And it works terribly slow. But it is really a step towards natural language understanding of voice. Or rather, unlike a lot of other efforts I feel like the phone is trying to understand me rather than the other way around.