Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Iphone Security Apple

Researchers Use Siri To Steal Data From iPhones 55

wiredmikey writes "Using Apple's voice-activated Siri function, security researchers have managed to steal sensitive information from iOS smartphones in a stealthy manner. Luca Caviglione of the National Research Council of Italy and Wojciech Mazurczy of the Warsaw University of Technology warn that malicious actors could use Siri for stealthy data exfiltration by using a method that's based on steganography, the practice of hiding information. Dubbed "iStegSiri" by the researchers, the attack can be effective because it doesn't require the installation of additional software components and it doesn't need the device's alteration. On the other hand, it only works on jailbroken devices and attackers somehow need to be able to intercept the modified Siri traffic. The attack method involves controlling the "shape" of this traffic to embed sensitive data from the device. This covert channel could be used to send credit card numbers, Apple IDs, passwords, and other sensitive information from the phone to the criminal mastermind, researchers said in their paper.
This discussion has been archived. No new comments can be posted.

Researchers Use Siri To Steal Data From iPhones

Comments Filter:
  • by Anonymous Coward on Monday January 19, 2015 @06:04PM (#48852655)

    Nothing to see here, move along.

    • by Anonymous Coward
      Jailbroken devices are in the low single digit percentage of all iOS devices, but so is Linux on the desktop so yes actually it is a concern.
    • by Anonymous Coward on Monday January 19, 2015 @07:11PM (#48852995)

      Right, this effectively boils down to "if you install a root kit on a device, bad things can happen"... No shit sherlock.

    • Please mod up. This doesn't affect most users.
    • Please mod up. This doesn't affect the vast majority of users.
    • by AmiMoJo ( 196126 ) *

      Around 30-35% of iPhones in China are jailbroken, if reports are to be believed. In any case, the jailbreaking tools get millions of downloads, so there are definitely a large number of people at risk.

      While you make an interesting point it ignores the wider issues. People claim Android is insecure even though all of the malware needs you to enable installing from .apk files, and much of it needs root. At least on Android you can legitimately use other app stores like Amazon's, and even rooting your phone do

      • Around 30-35% of iPhones in China are jailbroken, if reports are to be believed. In any case, the jailbreaking tools get millions of downloads,

        Compared to over a hundred million iPhones sold each year? Yeah , whatever.

  • by Rosyna ( 80334 ) on Monday January 19, 2015 @06:06PM (#48852673) Homepage

    So in order for this to work, an iOS device must already be compromised with a jailbreak? Why is that news?

    • by Anonymous Coward

      Because a non-trivial number of iPhone users jailbreak their devices?

      • Re: (Score:3, Interesting)

        And it's just "currently". Breaking into unjailbroken phones or taking advantage of bugs is the main game already.

        Interesting this -- they alter an audio such that it's Apple-encrypted path to the Siri server can be analyzed to extrace the hidden data without decrypting the stream.

        I often wondered about a similar thing, if a server could pulse data it sends encrypted, which would allow tracking through any layers of encryption. Say goodbye to tor & friends. You'd uave to add random delay to data at ea

      • by AK Marc ( 707885 )
        How many is "non trivial"? With things lik https://www.techinasia.com/chi... [techinasia.com] seems that jailbreaking is no longer as necessary as before.
      • by gl4ss ( 559668 )

        if you have code already running on the phone it's trivial to send data out from the device.

        the article is stupid. the researcher is double stupid, only looking for to make a stir with a fucking stupid write up that deliberately claims that something people use daily is compromised. it's deceitful journalism/research. the researcher should be hit on the toes with a hammer.

        next up: "google chrome can be used to send data out from a computer maliciously.... ....from a computer you already have root access on"

      • And what is your source for this "non-trivial number"? Your nerd friends don't represent the majority of users.

        • by Anonymous Coward

          Your nerd friends don't represent the majority of users.

          Ha! The jokes on you. I don't have any friends.

    • iOS web vulnerabilities that auto-jailbreak and install backdoors? It's never happened, but I do believe it's possible: http://www.securityweek.com/mo... [securityweek.com]
      • by Eythian ( 552130 )

        It has happened, there used to be a site called (something like) jailbreakme that would escape the safari sandbox and jailbreak your iphone. In this case, you had to press a button to confirm, but I think that was simply politeness. I'd bet there were malicious uses of it in the wild too.

  • Huh? (Score:5, Insightful)

    by Ecuador ( 740021 ) on Monday January 19, 2015 @06:06PM (#48852679) Homepage

    it doesn't require the installation of additional software components and it doesn't need the device's alteration.

    On the other hand, it only works on jailbroken devices

    Too bad jailbraking actually requires the device's alteration / installation of additional software components...

  • by thetoadwarrior ( 1268702 ) on Monday January 19, 2015 @06:11PM (#48852711) Homepage
    It's interesting but hardly a concern given the requirements to make it work.
    • Yeah, I'm waiting for someone to run a broadcast radio or TV advertisement that says something like "Hey Siri, Call 703 555 1212 (pay per call line) or "Hey Siri, Directions to XYZ business", or even "Hey Siri, search for malicious iPhone jailbreak website". You can also substitute in "Ok Google" as well to catch android phones...

  • Doomed, I say (Score:5, Insightful)

    by ctime ( 755868 ) on Monday January 19, 2015 @06:12PM (#48852717)
    Jailbroken phone susceptible to data ex-filtration while on special malicious network?? Apple is dying.
    • Jailbroken phone susceptible to data ex-filtration while on special malicious network?? Apple is dying.

      Mods: +5 Insightful. REALLY?!?

  • by BadPirate ( 1572721 ) on Monday January 19, 2015 @06:33PM (#48852825) Homepage

    ... That discovered that the Scalage security deadbolts have been compromised, and can be unlocked without the use of a key! Assuming of course you are inside the house.

  • Gotta meet those quotas for SEO whoring.

  • "Steal," huh? Everyone gets all adamant about drawing a distinction between theft and copyright violation when we're talking about the MAFIAAs; can we please apply a consistent standard to cases when it's ordinary users being "stolen" from?

    • Everyone gets all adamant about drawing a distinction between theft and copyright violation when we're talking about the MAFIAAs; can we please apply a consistent standard to cases when it's ordinary users being "stolen" from

      Well, the difference is actually important. In one case, the data is being published and intended to be published, it's just a matter of optimizing compensation models. That is, the reason people object to copyright infringement is the potential loss of a sale. . In the other, the per

    • by AK Marc ( 707885 )
      "stolen" is taken in a manner that causes a permanent loss, denying the owner the benefit of it. Stealing a movie isn't stealing because they can still sell it another million times. But stealing an identity does deny the previous owner the use of it. That identity no longer "works" so the previous owner must spend real money to create it again. That's a provable loss. Not the same as if I copy a movie in my house, and give a copy to my family, the movie makers would never know, so know "loss" can be r
      • So whether it's stealing depends on if the victim notices? Pickpockets of the world rejoice.

        • by AK Marc ( 707885 )
          Actually, yes. That's why Grand Theft Auto is separately defined. As stealing a car with the intention of running it out of gas on a joyride is not "theft" by the legal definition of the word. If it's not a permanent "loss", then it isn't theft. A non-loss can't be a theft. And a taking intended to be temporary is also not theft.

          I know it confuses you that the legal definition doesn't match your desired emotional use of the word. But reality doesn't bend to your will.
          • stealing a car with the intention of running it out of gas on a joyride is not "theft" by the legal definition of the word

            I don't know what kind of bizarro legal system you live under, but it's not one I've ever heard of. Whether something is considered theft/larceny/stealing doesn't hinge on whether the property is eventually recovered. But this is veering offtopic, and I've already been modded down for that once in this thread, so good night.

            • by AK Marc ( 707885 )
              Name your jurisdiction. Mine is valid in Texas and Alaska (the two places in the US I've lived longest, and yes, I read law for fun in my spare time, started as a kid when I'd spend some school breaks at my dad's legal practice).

              But this is veering offtopic, and I've already been modded down for that once in this thread, so good night.

              Your attack on "theft" that was factually and legally wrong was rightly modded down, but an on-topic discussion 6 deep (on topic because the discussion is about the definition of a word in the title of the submission) won't get you modded down. Sounds more like you are willfully ig

            • by gl4ss ( 559668 )

              you might want to check up on that.

              "unauthorized use" or similars are used in pretty much all of the west for.. well, unauthorized use, like joyriding. if the joyriding ends up destroying it then it's destroying of property..

              you know how destroying property isn't theft as such.

              why the distinctions? because usually it's more "bad" if the crime is done with profit in mind (like reselling the car)

            • I don't know what kind of bizarro legal system you live under, but it's not one I've ever heard of. Whether something is considered theft/larceny/stealing doesn't hinge on whether the property is eventually recovered. But this is veering offtopic, and I've already been modded down for that once in this thread, so good night.

              In Germany, when the very first "theft" of electricity happened (connecting to the neighbour's power cable and having him pay for the electricity bill), it turned out that this was according to the existing laws no theft, and a new law was added. Fraud laws had to be changed because of computer fraud; before that fraud had the legal requirement that a _person_ had to be given false information and with careful construction a computer could be defrauded without giving false information to any person.

      • by gnupun ( 752725 )

        Stealing a movie isn't stealing because they can still sell it another million times.

        This same old canard from the anti-IP and freeloaders association. If you can legally watch that movie without paying, why should anyone else be required to pay? And if no one pays, how will the movie producer generate revenue to even cover the cost of making the movie, let alone profit? If someone loses profit because of unethical and illegal actions of another, it's a crime. So copying that movie is a crime.

        Here's webster

        • by AK Marc ( 707885 )

          If someone loses profit because of unethical and illegal actions of another, it's a crime.

          Holy circular reasoning. It's a crime because it's illegal. Oh, and copyright violation isn't usually a "crime" but a "tort", well, for most copyright infringement.

          So yelling "fire" in a theater isn't criminal negligence (trying to cause harm to others through lie/fraud), but theft, if any of those patrons leave because of the "fire" and request their money back. The person yelling "fire" stole from the theater and movie makers by his actions causing a loss of profit from the movie theater. Would it ma

  • If someone had the password to my computer, in it's locked room, the encryption password for my encrypted drive, and personal access to my airgapped computer, they could steal everything I have!

    How can we stop this egregious security issue!

    Every single aspect of computing is unsecure if you add enough caveats.

  • Perhaps to something more descriptive. I suggest: "Here's another way that you can't hack a properly maintained iPhone, but thanks for the clicks".
  • by CaptQuark ( 2706165 ) on Tuesday January 20, 2015 @02:51AM (#48854501)

    In their experiments, Mazurczy and Caviglione managed to use this method to exfiltrate data at a rate of 0.5 bytes per second. At this speed, it would take roughly 2 minutes to send a 16-digit payment card number to the attacker.

    2 minutes? One byte every 2 seconds for 16 characters should be 32 seconds. Plus, since they can control the encoding, they could send card numbers using only a nibble, so they could send all 16 numbers in 16 seconds.

    Either the original (non-posted) research showed ALL card information could be sent in 2 minutes, or they realized Siri communications are so short they would need multiple requests to get a full 30 seconds of sent audio. Sadly, the original information is not posted so the math discrepancy remains puzzling.

    ~~

    • My assumption is they meant complete payment information for a credit card. So 16 digits, plus 3 digit code, plus expiration date, plus name on card (maybe plus zip code??). It could easily be 60 characters on average, and although most of that is numeric information that could be highly compressed, that could easily be the costs of a naive implementation.

  • Any chance the research was sponsored by Apple to make people more afraid of jail breaking ?

  • > On the other hand, it only works on jailbroken devices and attackers somehow need to be able to intercept the
    > modified Siri traffic.

    So basically, its useful if you can run a stingray and most effective against more sophisticated users who jailbreak their phones (yet still use siri). Nice, real nice.

  • This reminds me of the JitterBug [duhscoveries.com] that got a lot of press back in 2006. It required such a ridiculous set of preconditions, it managed to be one of my dozen or so entries on my "dumb studies" blog. (Which is proof that I'm just as dumb - a blog about dumb studies?)

  • I suppose this might be interesting to some people, but when it says, "it only works on jailbroken devices and attackers somehow need to be able to intercept the modified Siri traffic", well, that's a lot of "ifs" in there. It's sort of like walking up to someone and saying, "Can you make elephant soup?" And they reply, "Sure I can. First, I need an elephant. Then I need to chop the elephant into small pieces..." I mean, I guess, technically, someone can make elephant soup, but not that easily.

How many Unix hacks does it take to change a light bulb? Let's see, can you use a shell script for that or does it need a C program?

Working...