Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?

Siri Protocol Cracked 403

First time accepted submitter jisom writes with something that will probably not be working come morning. Quoting the source: "Today, we managed to crack open Siri's protocol. As a result, we are able to use Siri's recognition engine from any device. Yes, that means anyone could now write an Android app that uses the real Siri! Or use Siri on an iPad! And we're going to share this know-how with you." Basically, Siri sends the data to the processing server using non-standard HTTP extensions. Of note is that the audio is encoded using Ogg Speex.
This discussion has been archived. No new comments can be posted.

Siri Protocol Cracked

Comments Filter:
  • by CmdrPony ( 2505686 ) on Monday November 14, 2011 @11:39PM (#38055616)
    While you could write an Android app or anything else, the protocol sends an unique ID with the request. That ID is unique to every iPhone 4S. End result being, you can probably use your own for your personal use, but if you try to sell an App for Android and include your ID with it, Apple will just blacklist it. So you will still need your own iPhone 4S.
  • by Anonymous Coward on Monday November 14, 2011 @11:53PM (#38055692)

    Ummmm.... no.... that would be why Siri fails so often due to network issues.

  • by CmdrPony ( 2505686 ) on Monday November 14, 2011 @11:54PM (#38055704)
    They are already sending everything with HTTPS. That's why the researchers had to use gateway machine and certificate tricks to do man-in-the-middle attack.
  • by Anonymous Coward on Tuesday November 15, 2011 @12:01AM (#38055758)

    Apple has stated publicly that Siri uses Apple servers for processing. And observing the behavior of the device under lost network connection makes this quite obvious.

  • by Fnord666 ( 889225 ) on Tuesday November 15, 2011 @12:08AM (#38055806) Journal

    Here is an easier solution, how about just send everything via HTTPS.

    Apple is. From TFA:

    Surprisingly, when we did, we wouldnâ(TM)t gather any traffic when using Siri. So we ressorted to using tcpdump on a network gateway, and we realised Siriâ(TM)s traffic was TCP, on port 443, to a server at

    The app even validated that the cert used was signed by a trusted CA. Fortunately the iphone4S allows you to add your own trusted CA to the trust chain.

  • Re:The scam of Siri (Score:4, Informative)

    by Torodung ( 31985 ) on Tuesday November 15, 2011 @12:13AM (#38055834) Journal

    It's still a bit scammy, but I would guess they're using early adopters as a massive beta test before rolling it out to iLife in general, so rather than depriving anyone, they're being cautious and scaling up usage slowly. Think "Apple Newton," and it's reasonable to suspect the company may still be a little gun shy with this kind of tech. Even if it is running "in the cloud" instead of on the device, there's a whole lot that could go wrong with Siri []. (Page is for entertainment purposes only. Not to be construed as actual examples. I am a non-attorney spokesperson.)

    More than that, availability matters here, and they want the initial adopters to have a premium experience before they roll it out to the hoi polloi, and everything goes pear shape when they run into the usual scaling issues. You know, like the ones AT&T ran into with the first iPhones.

  • by hydrofix ( 1253498 ) on Tuesday November 15, 2011 @12:28AM (#38055932)

    Sure. But then you'd have to buy an iPhone.

  • by Anonymous Coward on Tuesday November 15, 2011 @12:50AM (#38056074)
    Or use an open WiFi access point. I'd point out the iThingies send their UUID in a lot of requests to Apple servers over ordinary HTTP. I know this because I block it in Privoxy.
  • by _xeno_ ( 155264 ) on Tuesday November 15, 2011 @01:11AM (#38056196) Homepage Journal

    Doing the processing on the server seems very slow to me - I can find a contact much faster by pressing the first few letters than waiting for the round-trip latency to siri.

    Yep. It's extremely annoying, actually, because Siri replaces the existing voice commands. So doing something like "call brother" - which used to take maybe a half second - takes a good three seconds or so of lag time. More annoyingly is things like "play playlist driving songs" - first you have to wait for the three seconds round-trip processing, then you have to wait for the iPhone to decide which playlist that matches ("Looking for playlist driving songs," Siri says), then you have to wait for her to narrate "playing playlist driving songs" before the music actually starts.

    Compare to the previous, non-Siri version:

    "Play playlist driving songs."
    (half-second pause) "Playing playlist driving songs." (music starts)

    Yay progress. About the only thing I use Siri for is asking dumb questions and seeing what responses I get. For actual voice controls, it's - well, not useless, exactly, just obnoxiously slow.

  • by afabbro ( 33948 ) on Tuesday November 15, 2011 @01:43AM (#38056336) Homepage

    99% of all phone apps have very little to do with the actual phone and instead they're just quick reference URLs to some external site that does most of the work.


    You're claiming that out of 500,000-odd iPhone apps, only 5,000 are anything more than just "quick reference URLs to some external site that does most of the work"?

    There are more than 5,000 games in the iOS app store.

    There are probably 10,000 calculators, flashlight apps, and fart sound effect apps.

    Sure, some apps are as you describe, and many apps talk to the net, but 99% are not just "quick reference URLs".

  • by R3d M3rcury ( 871886 ) on Tuesday November 15, 2011 @02:21AM (#38056508) Journal

    Of course, now you can say things like, "Boy, I'd love to hear some driving songs" or "Driving songs would sound good right about now." See? There's less of the "command" protocol and more like you're speaking to an actual person!

    Of course, the person you're talking to is a little slow. But that's better than having to use some specific syntax, right?

    (The above is sarcasm.)

  • by bemymonkey ( 1244086 ) on Tuesday November 15, 2011 @02:31AM (#38056554)

    There is nothing available on Android that's anywhere near as functional as Siri (seems to be in the ads). Voice recognition is OK (but largely dependent on the quality of your device - if the manufacturer [HTC, cough] used cheap mics, no chance), but unless you want to call someone or search Google, you're going to need to do it the old fashioned way.

    And yes, I'm one of the rabid Android fanboys you seem to be encountering so often ;)

  • by CharlyFoxtrot ( 1607527 ) on Tuesday November 15, 2011 @02:39AM (#38056586)

    So turn it off [] : "If you wish to use Voice Control while you are not connected to the Internet, turn Siri off from Settings > General > Siri. Make sure to turn Siri back on when you have Internet connectivity and you wish to use it again."

  • by Trogre ( 513942 ) on Tuesday November 15, 2011 @04:24AM (#38057036) Homepage

    Not that it's relevant to the argument at hand, but you might like to research the practice of back-firing, in relation to creating a firebreak, particularly with bushfires.

  • by Anonymous Coward on Tuesday November 15, 2011 @05:24AM (#38057352)

    If it's just HTTP, you just need a laptop with packet sniffing software. Just find a cafe with wifi frequented by iDrones and pluck the UUIDs out of the air! It wouldn't surprise me if there are already databases of UUIDs being compiled and available on black markets

I'd rather just believe that it's done by little elves running around.