Security researcher Guilherme Rambo has discovered a flaw in Apple’s Bluetooth security, allowing any iOS app with Bluetooth access to eavesdrop on the user’s conversations with Siri.
To make matters worse, the breach wouldn’t be evident to the user as the app wouldn’t need to request microphone access to perform the eavesdropping, nor would it leave any apparent traces of malicious activity behind.
The only prerequisite for this attack was for the target to use AirPods or Beats headsets, which are pretty common for iPhone users.
The privacy repercussions arising from this problem depend on what conversations people have with Siri and how exposing they are to their identity, location, personal preferences, habits, etc.
Listening to AirPods
AirPods 2nd gen and later can invoke Siri with a simple voice command, effectively starting a special DoAP service used for Siri and Dictation support.
The researcher deployed a Bluetooth sniffer that can connect to BLE devices and query their GATT database, to capture data exchanges from the AirPods to the iPhone and vice versa.
The tool logged a stream of bytes when the Siri DoAP service was activated, which is when the user invokes the assistant with “Hey Siri”.
The stream of data from the DoAP audio was encoded with the Opus codec to make transmissions suitable for BLE, so to hear user conversations, Rambo just needed to reverse the encoding and get clear audio.
Finally, the researcher created an app requesting iOS for Bluetooth permission, connecting to the AirPods and keeping the connection open to capture notifications and audio data.
When the streaming starts, the app records the audio in WAV form and feeds it to an Opus decoder, storing all conversations in audio snippets.
If an attacker wanted, they could exfiltrate those snippets to a remote system and wipe them locally, leaving no trace of the covert eavesdropping activity.
“In a real-world exploit scenario, an app that already has Bluetooth permission for some other reason could be doing this without any indication to the user that it’s going on because there’s no request to access the microphone, and the indication in Control Center only lists “Siri & Dictation”, not the app that was bypassing the microphone permission by talking directly to the AirPods over Bluetooth LE.”
Guilherme Rambo – rambo.codes
Fix and Mitigation
The issue was reported to Apple on August 26, 2022, and the consumer tech giant addressed it on October 24, 2022, with the release of iOS 16.1, assigning it the identifier CVE-2022-32946.
Apple restricted direct access to the AirPods DoAP service over BLE GATT, adding all third-party apps to a deny list.
Rambo tested the issue on iOS version 15 too, and the DoAP service was susceptible to external eavesdropping, so it’s likely that anything prior to 16.1 is vulnerable.
Possibly, this flaw has remained open to exploitation for years, but due to its stealthy nature, even if it was leveraged in the wild, it was never discovered and reported.
iPhones and iPads running on an earlier version are vulnerable to this flaw, so their users are advised to either move to a newer and actively supported model or stop using AirPods with their devices.
Interesting…
https://www.privateinternetaccess.com/blog/eucj-vpn/
I never used Siri, and I wouldn’t use anything similar whatsoever. You always know that these types of services are designed to grab your private data, so anybody privacy conscious should avoid Siri anyway. But there is no doubt in my mind that smartphones are not good for privacy, not to mention anonymity.
Great Article!
These researchers are so clever. I hope Apple gave them a reward.
It sounds like Apple acted quickly on this, well done to them.
P.S. A question please?
Australia has had several serious cyber attacks in the last couple of months. And against of our largest organisations.
1) Concerning the Medibank Private breach, has RP any insight into what data has been dumped on the dark web (I am hearing a partial dump) or what the attackers are saying (I have heard nothing of this)? (The suggestion is that the Optus hacker was a kid or an amateur. Nobody seems to be suggesting this with this Medibank breach.)
2) Why is medical data so valuable to cyber criminals? I have been trying to find out and I have heard a range of suggestions. 1) Blackmail / extortion towards public persons; 2) Acquiring false drug prescriptions; 3) That medical information can be used as proof of identity (for financial theft).
It is not hard to imagine what a cyber criminal may do with stolen credit cards, but it is hard to imagine how medical information is monetised, yet I hear stolen medical data sells for more that stolen credit card data. What’s up with this?
“Healthcare data is valuable on the black market because it often contains all of an individual’s personally identifiable information, as opposed to a single piece of information that may be found in a financial breach. Often these attacks see hundreds of thousands of patient’s data and privacy compromised or stolen by those with malicious intent. According to a Trustwave report, a healthcare data record may be valued at up to $250 per record on the black market, compared to $5.40 for the next highest value record (a payment card). Because of the desirability of the data and the lure of monetary gain, it is important that this security threat is not underestimated by healthcare industry IT professionals and that steps are taken to safeguard this data. Most of these breaches can be attributed to criminal insiders and hackers gaining access through third-party vendors.”
from here
https://www.securelink.com/blog/healthcare-data-new-prize-hackers/