IBM Researchers Warn of Security Vulnerabilities in Siri Shortcuts, But the Exploit Seems Unlikely to Threaten Many Users
IBM security researchers recently put out a warning about potential vulnerabilities for Siri Shortcuts that could facilitate malicious attacks. In a post entitled “Hey Siri, Get My Coffee, Hold the Malware,” in IBM’s Security Intelligence blog, senior threat researcher John Kuhn outlines how Siri Shortcuts’ capabilities can be used by hackers in an attack. Mr. Kuhn states:
“With Apple’s introduction of iOS 12 for all their supported mobile devices came a powerful new utility for automation of common tasks called Siri Shortcuts. This new feature can be enabled via third-party developers in their apps, or custom built by users downloading the shortcuts app from the app store. Once downloaded and installed, the Shortcuts app grants the power of scripting to perform complex tasks on users’ personal devices. But accessing the phone from Siri Shortcuts also presents some potential security risks…”
Many iOS users are aware of Siri Shortcuts through the user app that Apple released in 2018. This app is not part of the vulnerability assessment. The attack scenario relies on the lesser known capability that allows iOS developers to implement Siri Shortcut orchestration functionality directly into apps.
Spoofing a Ransomware Attack
The key attack scenario outlined by the researchers is a simulated ransomware attack. I characterize this as simulated because the attack doesn’t actually take over control of the device like we often see with PC-based ransomware. Instead, it uses social engineering techniques to make the user think the device has been compromised. A video in the post shows the following steps of the attack:
- The shortcut is configured to gather personal data from the device:
- It can collect photos from the camera roll.
- Grab the contents of the clipboard.
- Get the physical address of the device’s location.
- Find the external IP address.
- Get the device’s model.
- Get the device’s current mobile carrier
- The Siri Shortcut can message the information to an external party; this data can also be sent over SSH to the attacker’s server using native functionality.
- The Shortcut can set the brightness and volume of the device to 100%
- It can turn the device’s flashlight on and off while vibrating at the same time to get the user’s attention and make them believe their device has been taken over.
- The Shortcut can be made to speak a ransom note which can include convincing personal details to make the user believe the attacker. For example, it can indicate the IP address and physical address of the person and demand payment.
- The Shortcut can be further programmed to then display the spoken note in a written alert format on the device.
- To nudge the user to pay up, the Shortcut can be configured to open a webpage, accessing a URL that contains payment information to a cryptocurrency wallet, or a phishing page demanding payment card/account information.
- To spread around, and since Siri Shortcuts can be shared among users, the malicious Shortcut could also send a link to everyone in the user’s contact list giving it a “worm like” capability that’s easy to deploy but harder to detect.
How Likely is This Threat?
If you were attacked using the method outlined, it could be very convincing and lead users to pay a ransom instead of simply uninstalling an app which would remove the threat. However, for this threat to even materialize, the user would either need to have a jailbroken iOS device and download a rogue app not certified by the App Store or the malicious app would need to first get through App Store certification, generate downloads, and get users to accept the Siri Shortcuts features which can be reviewed as permissions.
Users with jailbroken devices hopefully understand their risk tradeoff so we can set them aside. When considering a typical user, we first must assess the risk that a malicious app will make it past iOS certification. This certainly has happened, but the incidents are not common. In addition, for this to work, the permissions around Siri Shortcuts app actions would need to be obscured and the certification engineers would have to willfully ignore testing them. User neglect around simply accepting permissions without reviewing actions is a likely scenario and hackers are good at using social engineering techniques to drive downloads. So, the key line of defense is iOS app store certification and awareness by users of what actions can do and cannot do.
How Orchestration Features Increase Risk
All of these factors make the risk of this attack fairly low for a typical user. Regardless, the security researchers did their job to point out how new technology like Siri Shortcuts can become a threat vector. The scenario outlined in reality exposes the threat of orchestration tools and triggers that enable multiple actions from a single command or activity. Apple is working with IBM to address the concerns in the attack, but anytime you are able to knit apps and actions together, small wedges can become larger problems. Consider an app that enables an automatic money transfer based on a set of orchestrated events or one that unlocks all doors in a home.
These capabilities may become a bigger problem as the AI-based assistants begin to implement more orchestrations automatically based on user behavior. If hackers can trick the user and AI into implementing an orchestration, a threat could be executed without user awareness. So, the Siri Shortcut vulnerability represents a minor risk, but it does point out where vigilance will be required as assistants become more integrated into consumers’ daily lives.