Researchers Use Siri To Steal Data From iPhones 55
wiredmikey writes "Using Apple's voice-activated Siri function, security researchers have managed to steal sensitive information from iOS smartphones in a stealthy manner. Luca Caviglione of the National Research Council of Italy and Wojciech Mazurczy of the Warsaw University of Technology warn that malicious actors could use Siri for stealthy data exfiltration by using a method that's based on steganography, the practice of hiding information. Dubbed "iStegSiri" by the researchers, the attack can be effective because it doesn't require the installation of additional software components and it doesn't need the device's alteration. On the other hand, it only works on jailbroken devices and attackers somehow need to be able to intercept the modified Siri traffic. The attack method involves controlling the "shape" of this traffic to embed sensitive data from the device. This covert channel could be used to send credit card numbers, Apple IDs, passwords, and other sensitive information from the phone to the criminal mastermind, researchers said in their paper.
Only works on jailbroken devices (Score:4, Insightful)
Nothing to see here, move along.
Re: (Score:1)
Re:Only works on jailbroken devices (Score:4, Insightful)
Right, this effectively boils down to "if you install a root kit on a device, bad things can happen"... No shit sherlock.
Re: Only works on jailbroken devices (Score:1)
Re: Only works on jailbroken devices (Score:1)
Re: (Score:3)
Around 30-35% of iPhones in China are jailbroken, if reports are to be believed. In any case, the jailbreaking tools get millions of downloads, so there are definitely a large number of people at risk.
While you make an interesting point it ignores the wider issues. People claim Android is insecure even though all of the malware needs you to enable installing from .apk files, and much of it needs root. At least on Android you can legitimately use other app stores like Amazon's, and even rooting your phone do
Re: (Score:2)
Around 30-35% of iPhones in China are jailbroken, if reports are to be believed. In any case, the jailbreaking tools get millions of downloads,
Compared to over a hundred million iPhones sold each year? Yeah , whatever.
Requirement to have compromised device (Score:5, Insightful)
So in order for this to work, an iOS device must already be compromised with a jailbreak? Why is that news?
Re: (Score:1)
Because a non-trivial number of iPhone users jailbreak their devices?
Re: (Score:3, Interesting)
And it's just "currently". Breaking into unjailbroken phones or taking advantage of bugs is the main game already.
Interesting this -- they alter an audio such that it's Apple-encrypted path to the Siri server can be analyzed to extrace the hidden data without decrypting the stream.
I often wondered about a similar thing, if a server could pulse data it sends encrypted, which would allow tracking through any layers of encryption. Say goodbye to tor & friends. You'd uave to add random delay to data at ea
Re: (Score:2)
Re: (Score:2)
if you have code already running on the phone it's trivial to send data out from the device.
the article is stupid. the researcher is double stupid, only looking for to make a stir with a fucking stupid write up that deliberately claims that something people use daily is compromised. it's deceitful journalism/research. the researcher should be hit on the toes with a hammer.
next up: "google chrome can be used to send data out from a computer maliciously.... ....from a computer you already have root access on"
Re: (Score:2)
And what is your source for this "non-trivial number"? Your nerd friends don't represent the majority of users.
Re: (Score:1)
Your nerd friends don't represent the majority of users.
Ha! The jokes on you. I don't have any friends.
Re: (Score:2)
Re: (Score:2)
It has happened, there used to be a site called (something like) jailbreakme that would escape the safari sandbox and jailbreak your iphone. In this case, you had to press a button to confirm, but I think that was simply politeness. I'd bet there were malicious uses of it in the wild too.
Huh? (Score:5, Insightful)
it doesn't require the installation of additional software components and it doesn't need the device's alteration.
On the other hand, it only works on jailbroken devices
Too bad jailbraking actually requires the device's alteration / installation of additional software components...
Big deal out of nothing (Score:5, Insightful)
Re: (Score:2)
Yeah, I'm waiting for someone to run a broadcast radio or TV advertisement that says something like "Hey Siri, Call 703 555 1212 (pay per call line) or "Hey Siri, Directions to XYZ business", or even "Hey Siri, search for malicious iPhone jailbreak website". You can also substitute in "Ok Google" as well to catch android phones...
Doomed, I say (Score:5, Insightful)
Re: (Score:1)
Jailbroken phone susceptible to data ex-filtration while on special malicious network?? Apple is dying.
Mods: +5 Insightful. REALLY?!?
Same group of researchers... (Score:4, Funny)
... That discovered that the Scalage security deadbolts have been compromised, and can be unlocked without the use of a key! Assuming of course you are inside the house.
mandatory apple story (Score:1)
Gotta meet those quotas for SEO whoring.
Consistency (Score:1)
"Steal," huh? Everyone gets all adamant about drawing a distinction between theft and copyright violation when we're talking about the MAFIAAs; can we please apply a consistent standard to cases when it's ordinary users being "stolen" from?
Re: (Score:2)
Well, the difference is actually important. In one case, the data is being published and intended to be published, it's just a matter of optimizing compensation models. That is, the reason people object to copyright infringement is the potential loss of a sale. . In the other, the per
Re: (Score:2)
Re: (Score:2)
So whether it's stealing depends on if the victim notices? Pickpockets of the world rejoice.
Re: (Score:2)
I know it confuses you that the legal definition doesn't match your desired emotional use of the word. But reality doesn't bend to your will.
Re: (Score:2)
stealing a car with the intention of running it out of gas on a joyride is not "theft" by the legal definition of the word
I don't know what kind of bizarro legal system you live under, but it's not one I've ever heard of. Whether something is considered theft/larceny/stealing doesn't hinge on whether the property is eventually recovered. But this is veering offtopic, and I've already been modded down for that once in this thread, so good night.
Re: (Score:2)
But this is veering offtopic, and I've already been modded down for that once in this thread, so good night.
Your attack on "theft" that was factually and legally wrong was rightly modded down, but an on-topic discussion 6 deep (on topic because the discussion is about the definition of a word in the title of the submission) won't get you modded down. Sounds more like you are willfully ig
Re: (Score:2)
you might want to check up on that.
"unauthorized use" or similars are used in pretty much all of the west for.. well, unauthorized use, like joyriding. if the joyriding ends up destroying it then it's destroying of property..
you know how destroying property isn't theft as such.
why the distinctions? because usually it's more "bad" if the crime is done with profit in mind (like reselling the car)
Re: (Score:2)
I don't know what kind of bizarro legal system you live under, but it's not one I've ever heard of. Whether something is considered theft/larceny/stealing doesn't hinge on whether the property is eventually recovered. But this is veering offtopic, and I've already been modded down for that once in this thread, so good night.
In Germany, when the very first "theft" of electricity happened (connecting to the neighbour's power cable and having him pay for the electricity bill), it turned out that this was according to the existing laws no theft, and a new law was added. Fraud laws had to be changed because of computer fraud; before that fraud had the legal requirement that a _person_ had to be given false information and with careful construction a computer could be defrauded without giving false information to any person.
Re: (Score:2)
This same old canard from the anti-IP and freeloaders association. If you can legally watch that movie without paying, why should anyone else be required to pay? And if no one pays, how will the movie producer generate revenue to even cover the cost of making the movie, let alone profit? If someone loses profit because of unethical and illegal actions of another, it's a crime. So copying that movie is a crime.
Here's webster
Re: (Score:2)
If someone loses profit because of unethical and illegal actions of another, it's a crime.
Holy circular reasoning. It's a crime because it's illegal. Oh, and copyright violation isn't usually a "crime" but a "tort", well, for most copyright infringement.
So yelling "fire" in a theater isn't criminal negligence (trying to cause harm to others through lie/fraud), but theft, if any of those patrons leave because of the "fire" and request their money back. The person yelling "fire" stole from the theater and movie makers by his actions causing a loss of profit from the movie theater. Would it ma
And (Score:2)
How can we stop this egregious security issue!
Every single aspect of computing is unsecure if you add enough caveats.
May we change the title? (Score:1)
Questionable research (Score:3)
In their experiments, Mazurczy and Caviglione managed to use this method to exfiltrate data at a rate of 0.5 bytes per second. At this speed, it would take roughly 2 minutes to send a 16-digit payment card number to the attacker.
2 minutes? One byte every 2 seconds for 16 characters should be 32 seconds. Plus, since they can control the encoding, they could send card numbers using only a nibble, so they could send all 16 numbers in 16 seconds.
Either the original (non-posted) research showed ALL card information could be sent in 2 minutes, or they realized Siri communications are so short they would need multiple requests to get a full 30 seconds of sent audio. Sadly, the original information is not posted so the math discrepancy remains puzzling.
~~
Re: (Score:2)
My assumption is they meant complete payment information for a credit card. So 16 digits, plus 3 digit code, plus expiration date, plus name on card (maybe plus zip code??). It could easily be 60 characters on average, and although most of that is numeric information that could be highly compressed, that could easily be the costs of a naive implementation.
Sponsored by Apple ? (Score:2)
Any chance the research was sponsored by Apple to make people more afraid of jail breaking ?
Can you say stingray? (Score:2)
> On the other hand, it only works on jailbroken devices and attackers somehow need to be able to intercept the
> modified Siri traffic.
So basically, its useful if you can run a stingray and most effective against more sophisticated users who jailbreak their phones (yet still use siri). Nice, real nice.
JitterBug (Score:2)
This reminds me of the JitterBug [duhscoveries.com] that got a lot of press back in 2006. It required such a ridiculous set of preconditions, it managed to be one of my dozen or so entries on my "dumb studies" blog. (Which is proof that I'm just as dumb - a blog about dumb studies?)
That's a lot of "ifs". (Score:2)
I suppose this might be interesting to some people, but when it says, "it only works on jailbroken devices and attackers somehow need to be able to intercept the modified Siri traffic", well, that's a lot of "ifs" in there. It's sort of like walking up to someone and saying, "Can you make elephant soup?" And they reply, "Sure I can. First, I need an elephant. Then I need to chop the elephant into small pieces..." I mean, I guess, technically, someone can make elephant soup, but not that easily.