Apple Siri voice assistant is created to help the users. However, in new research published by IBM on January 31st, the Siri shortcuts feature can potentially be abused by attackers.
Apple introduced the Siri Shortcuts with iOS 12 in order to enable users and the developers so that they can use Apple Siri in order to automate any series of tasks.
What the IBM’s security division discovered?
The IBM’s X force security team found out that it is possible that a person can use Apple Siri Shortcut for any malicious purposes. This included tricking a user into paying for their own information to not be leaked. The information can be stolen in an attack which is called scareware. IBM even developed scareware in order to present the proof that it is a real possibility.
What can the scareware actually do?
The scareware version which was developed by IBM was able to read information with the help of an iOS device and then proceed to demand a fee from the user. It did all of this using Siri’s voice.
Imagine your AI assistant suddenly asking you for money. Or it will leak every bit of information about you for the world to see. Even the thought of it very scary.
A senior security threat researcher in the IBM X-force IRIS, John Kuhn, said in an interview :
that IBM X-Force has not seen evidence of attacks carried out using this method, but we developed the proof of concept to warn users of the potential dangers
What information can Scareware leak from Apple Siri?
John further stated in the interview that, “Siri Shortcuts does allow access to some system files on the phone. However, it does not allow access files with PII [personally identifiable information] as far as our research has determined,” Kuhn said. “Siri Shortcuts does have native functionality to give the victim’s physical address, IP address, photos, videos and more.”