Apple’s voice-activated personal assistant Siri can be used to steal data from iPhones and iPads, according to researchers from Italy and Poland.
The proof-of-concept iStegSiri is capable of secretly leaking data by embedding covert insutructions in a sound sequence that is not played back to the phone’s owner, before it is decoded by the hacker who sits in the middle of the phone and Apple’s servers.
Luca Caviglione, a researcher at the National Research Council of Italy, and Wojciech Mazurczyk, associate professor at the Warsaw University of Technology, said hackers could carry out the attack through a software library called Libactivator, or by accessing the application programming interfaces [API] provided by Apple.
They added that the method would only work on jailbroken iPhones and iPads which have been configured so that third-party apps can be downloaded, and that hackers would need to access Siri traffic as it moves to server facilities in order to pull off the attack.
“Because information-hiding methods use very specific technological traits, no current off-the-shelf products effectively detect covert communications,” they said, adding that an effective countermeasure would involve analysis text patterns to see if they conform to typical language behaviours.”
“This approach wouldn’t rely on the device, so additional functionalities or battery consumptions wouldn’t be required. We plan to further our research to develop an efficient countermeasure to mitigate this threat.”