A recently patched vulnerability in Apple iOS and macOS, dubbed SiriSpy, allowed apps with Bluetooth access to eavesdrop on user conversations with Siri, as well as record audio when AirPods or Beats are connected to an Apple device.
Let me remind you that we also wrote that Apple Safari Developers Patch 9-Year-Old Vulnerability for the Third Time.
The problem was discovered in August by developer Guilherme Rambo, who created the AirBuddy app, which makes it easy to connect AirPods, Beats and other Bluetooth accessories to Apple devices. That is, Rambo spends a lot of time working with AirPods, Beats and so on.
According to Rambo, the issue was related to the DoAP service that AirPods possess to support Siri and Dictation. In fact, this allowed the attacker to create an application that would work with AirPods via Bluetooth and record audio in the background. The problem was exacerbated by the fact that there was no request for access to the microphone, and only “Siri & Dictation” was displayed in the Control Center, and not an application that bypasses permissions and directly communicates with AirPods via Bluetooth LE.
While on iOS, the attack required granting the app access to Bluetooth, but the researcher says it’s not that much of a problem. After all, users who provide such access to the application are unlikely to expect that after that it will be able to eavesdrop on conversations with Siri and everything said within the framework of Dictation.
In macOS, even this limitation was missing, and the exploit could be used to completely bypass the Transparency, Consent and Control defence system. The reason is in the lack of checks for the BTLEServerAgent daemon responsible for processing DoAP audio.
This issue ended up being CVE-2022-32946, and Apple fixed it this week with the release of iOS 16.1. The researcher received a $7,000 reward from the company for discovering the vulnerability.