Security researcher Guilherme Rambo has discovered a flaw in Apple’s Bluetooth security, allowing any iOS app with Bluetooth access to eavesdrop on the user’s conversations with Siri.
To make matters worse, the breach wouldn’t be evident to the user as the app wouldn’t need to request microphone access to perform the eavesdropping, nor would it leave any apparent traces of malicious activity behind.
The only prerequisite for this attack was for the target to use AirPods or Beats headsets, which are pretty common for iPhone users.
The privacy repercussions arising from this problem depend on what conversations people have with Siri and how exposing they are to their identity, location, personal preferences, habits, etc.
Listening to AirPods
AirPods 2nd gen and later can invoke Siri with a simple voice command, effectively starting a special DoAP service used for Siri and Dictation support.
The researcher deployed a Bluetooth sniffer that can connect to BLE devices and query their GATT database, to capture data exchanges from the AirPods to the iPhone and vice versa.
The tool logged a stream of bytes when the Siri DoAP service was activated, which is when the user invokes the assistant with “Hey Siri”.
The stream of data from the DoAP audio was encoded with the Opus codec to make transmissions suitable for BLE, so to hear user conversations, Rambo just needed to reverse the encoding and get clear audio.
Finally, the researcher created an app requesting iOS for Bluetooth permission, connecting to the AirPods and keeping the connection open to capture notifications and audio data.
When the streaming starts, the app records the audio in WAV form and feeds it to an Opus decoder, storing all conversations in audio snippets.
If an attacker wanted, they could exfiltrate those snippets to a remote system and wipe them locally, leaving no trace of the covert eavesdropping activity.
“In a real-world exploit scenario, an app that already has Bluetooth permission for some other reason could be doing this without any indication to the user that it’s going on because there’s no request to access the microphone, and the indication in Control Center only lists “Siri & Dictation”, not the app that was bypassing the microphone permission by talking directly to the AirPods over Bluetooth LE.”Guilherme Rambo – rambo.codes
Fix and Mitigation
The issue was reported to Apple on August 26, 2022, and the consumer tech giant addressed it on October 24, 2022, with the release of iOS 16.1, assigning it the identifier CVE-2022-32946.
Apple restricted direct access to the AirPods DoAP service over BLE GATT, adding all third-party apps to a deny list.
Rambo tested the issue on iOS version 15 too, and the DoAP service was susceptible to external eavesdropping, so it’s likely that anything prior to 16.1 is vulnerable.
Possibly, this flaw has remained open to exploitation for years, but due to its stealthy nature, even if it was leveraged in the wild, it was never discovered and reported.
iPhones and iPads running on an earlier version are vulnerable to this flaw, so their users are advised to either move to a newer and actively supported model or stop using AirPods with their devices.