Researchers have reportedly found a way to use Apple's voice-activated Siri service to steal data from iOS devices through a new attack method, "iStegSiri." Could this become an exploited threat? How can this type of Siri attack be mitigated?
Most activities in life require tradeoffs between risks and rewards, as well as between security and usability.
Smartphones are one area where this tradeoff may be very visible to the end user. The high-impact improvement in usability for mobile devices makes it a difficult decision where many times a person needs to accept the risk of using an application to enjoy its benefits.
Using Siri -- or any other similar voice-activated "personal assistant" tool that takes actions from unauthenticated users -- is one of those risks.
The iStegSiri attack on an iPhone's Siri is a man-in-the-middle attack that allows a malicious actor to intercept sensitive data -- such as Apple IDs or passwords -- without the user knowing it. In one proof-of-concept attack, researchers estimated hackers could transmit a stolen credit card number in about two minutes.
The Siri attack requires an iPhone to first be rooted and then to execute the malicious code to send sensitive data. However, there are other ways covert channels that can be used to send small amounts of data in a way that would be difficult to detect, such as using domain name system (DNS) tunnels. Also, if malware can execute code on a rooted iPhone, a custom encrypted tunnel could be used to transmit sensitive data.
iStegSiri also requires access to the network between the iPhone and Apple's servers to capture the data being transmitted to Apple to convert to text for Siri.
As the first step in protecting from such an attack, enterprises should ban users from jailbreaking their iPhones. Installing antimalware software could also detect the attack and prevent malicious code from executing. In addition, if an organization monitors the device or the network that the device is connected to for malware, the attack could potentially be discovered.
While this threat is a low risk for enterprises, the point about covert channels is something enterprises with high security requirements may need to analyze carefully to determine how to monitor them.
Ask the Expert:
Want to ask Nick Lewis a question about enterprise threats? Submit your questions now via email. (All questions are anonymous.)
Check out the security flaws of iPhone's Siri
Smartphone security threats remain -- is any OS safe?
How to handle enterprise iPhone security issues