Apple iPhone users are reportedly being tricked into spilling the beans on all their personal information, including text messages, emails, browsing history and photos, and they have Siri to thank.
According to a report by Forbes, while there are several steps involved in tricking Siri into divulging information on the phone, it can be done. The first thing the bad guys have to do is determine the phone number of the iPhone, which Siri provides. The bad guys then place a phone call from another phone, which is answered with a text reply, but instead of entering a message, Siri is asked to engage in some actions, including enabling VoiceOver, which allows people to interact with iOS via gestures. An example of this attack was posted on YouTube, noted Forbes.
While the report may not send Apple iPhone users running to the hills, there are growing indications that Apple is an increasing target of the bad guys. In September, Elcomsoft, a Moscow-based security company, said iOS 10 is very susceptible to a “brute force attack,” where hackers automatically try a continuous number of password combinations until they unlock the right one. This security hole could allow hackers to steal credit card data, infiltrate backups and access Apple’s Keychain password manager, where passwords and other authentication data is stored.
“When working on an iOS 10 update for Elcomsoft Phone Breaker, we discovered an alternative password verification mechanism added to iOS 10 backups. We looked into it and found out that the new mechanism skips certain security checks, allowing us to try passwords approximately 2,500 times faster compared to the old mechanism used in iOS 9 and older,” according to an Elcomsoft blog post on the subject.
Elcomsoft said that its password-cracking software program, Phone Breaker, was able to send 6 million passwords per second at iOS 10’s backup in an effort to try and unlock access, compared to 150,000 passwords per second through iOS 9.