Vulnerability in iOS and macOS Allowed Eavesdropping on Siri Conversations

A recently patched vulnerability in Apple iOS and macOS, dubbed SiriSpy, allowed apps with Bluetooth access to eavesdrop on user conversations with Siri, as well as record audio when AirPods or Beats are connected to an Apple device.

Let me remind you that we also wrote that Apple Safari Developers Patch 9-Year-Old Vulnerability for the Third Time.

The problem was discovered in August by developer Guilherme Rambo, who created the AirBuddy app, which makes it easy to connect AirPods, Beats and other Bluetooth accessories to Apple devices. That is, Rambo spends a lot of time working with AirPods, Beats and so on.

Any app with Bluetooth access can record your Siri conversations and Dictation-related audio when using AirPods or Beats. This happens without asking for permission to access the microphone, and the app does not leave any trace of the microphone being tapped.says the developer.
Guilherme Rambo

Guilherme Rambo

According to Rambo, the issue was related to the DoAP service that AirPods possess to support Siri and Dictation. In fact, this allowed the attacker to create an application that would work with AirPods via Bluetooth and record audio in the background. The problem was exacerbated by the fact that there was no request for access to the microphone, and only “Siri & Dictation” was displayed in the Control Center, and not an application that bypasses permissions and directly communicates with AirPods via Bluetooth LE.

While on iOS, the attack required granting the app access to Bluetooth, but the researcher says it’s not that much of a problem. After all, users who provide such access to the application are unlikely to expect that after that it will be able to eavesdrop on conversations with Siri and everything said within the framework of Dictation.

In macOS, even this limitation was missing, and the exploit could be used to completely bypass the Transparency, Consent and Control defence system. The reason is in the lack of checks for the BTLEServerAgent daemon responsible for processing DoAP audio.

On macOS, apps can record your Siri conversations or Dictation audio without any permission requests at all. Even worse, this particular exploit also allows the app to request DoAP audio on demand, without having to wait for the user to speak to Siri or use dictation.Rambo wrote.

This issue ended up being CVE-2022-32946, and Apple fixed it this week with the release of iOS 16.1. The researcher received a $7,000 reward from the company for discovering the vulnerability.

About the author

Carina Wilson

With over 10 years' experience of writing for online and print media, I'm an expert in delivering clear and compelling copy.

I've written for a leading SEO copywriting agency as well as writing for some of the UK’s best known brands, magazines and newspapers.

Leave a Comment