Oct 27, 2022 14:00:00

Pointed out that the iOS bug allows the application to intercept ``conversation between user and Siri''

If you are using AirPods or Beats headphones with an app that can access Bluetooth, you can record 'conversation between Siri and the user' by using the voice input function that is standard on the iOS keyboard. , points out Brazilian app developer

Guillerme Rambo . According to Mr. Rambo, it is possible to intercept conversations without ``requesting permission to access the microphone from the application'' and leaving ``trace that the application was using the microphone''.

SiriSpy - iOS bug allowed apps to eavesdrop on your conversations with Siri | Rambo Codes
https://rambo.codes/posts/2022-10-25-sirispy-ios-bug-allowed-apps-to-eavesdrop

With AirPods, you can use the voice assistant Siri using the built-in microphone. If you've used Siri on AirPods, you may have noticed that when using Siri, the sound quality doesn't drop even though you're using the microphone. Normally, when video conferencing is performed using wireless earphones, etc., the output sound quality is significantly reduced. This seems to be due to the physical limitation of the Bluetooth standard that the output quality of the sound deteriorates when using the microphone. However, as mentioned above, when using Siri with AirPods, the voice quality is not degraded even though the microphone is used.

Mr. Rambo, who is developing ' AirBuddy ', an application for integrating AirPods on Mac, conducted performance tests of AirPods and Beats headphones that can always be used by Siri as part of the development, and developed new functions and It is said to be useful for troubleshooting.

One of the self-made tools in this is the command line tool 'bleutil'. Mr. Rambo seems to be debugging what is happening by checking the packets sent by AirPods using bleutil.

While Rambo was developing a new feature in bleutil, the ability to connect to a

Bluetooth LE device and query the GATT database, it was possible to subscribe to notifications for service characteristics and view terminal data in hexadecimal representation over time. It seems that they decided to add a function to display the stream in the window.

Most of the information that powers AirBuddy's functionality comes from advertising and Bluetooth Classic, which doesn't require connecting to a device over Bluetooth LE and interacting with a GATT database, so it doesn't use the services and features that exist in AirPods and similar devices. Mr. Rambo says he never looked into it.

Bluetooth LE GATT supports a function called 'notification', which is essential for real-time communication between devices, and when the stored data changes due to its characteristics, other devices constantly inquire about the current data ( Terminals can be subscribed to receive notifications without polling. Rambo notices that AirPods correspond to this 'notification' and the UUID '9bd708d7-64c7-4e9f-9ded-f6b6c4551967'. When Mr. Rambo examined this in detail, it becomes clear that '9bd708d7-64c7-4e9f-9ded-f6b6c4551967' is used by Siri called DoAP and the voice input function of the keyboard.

After understanding these, when I started bleutil again and analyzed the events sent from AirPods, it seems that when Siri was used via AirPods, a hexadecimal byte string flowed into bleutil. Furthermore, when talking with Siri using AirPods, this byte string changed more and more, and when it was silent, the byte string stopped changing. This hexadecimal byte string was the content of the conversation between Siri and the user.

Mr. Rambo's first impression when he noticed this was 'Oh, did you avoid the sound quality deterioration when using Siri by communicating like this? How cool.' However, on macOS, he found that it was possible to get audio from AirPods without asking permission to use the microphone, so he immediately thought, 'This is bad.'

However, since there is a possibility that the hexadecimal byte string is encrypted audio data, Mr. Rambo said he decided to check this first. Mr. Rambo pasted the hexadecimal byte string into

Hex Fiend and used the option 'listen to raw data' such as Audacity and Adobe Audition to see if the audio could be played while adjusting the sample rate and bit rate. is.

Then, I succeeded in reproducing the sound that almost matched what I said during the test. In the first place, Mr. Rambo later realized that the audio transmitted by Bluetooth LE was meaningless if it was uncompressed. So, if you look into the system components that are responsible for these functions, you will find that there are many references to a lossy audio compression format called ' Opus '.

Mr. Rambo compiled the Opus library and created a proof-of-concept app that can connect to AirPods and intercept notifications and audio data while maintaining the connection in the background. In fact, we have successfully intercepted the conversation between the user and Siri.

Mr. Rambo cites the worst possible scenario: ``An app that has already obtained Bluetooth permissions for other reasons can exploit this bug to intercept the conversation between the user and Siri.''

Mr. Rambo reported the bug discovered this time to Apple's security team on August 26, 2022, and released a patch for the bug on iOS 16.1 and other latest versions of the OS delivered on October 24, 2022. is applied. In addition, Mr. Rambo seems to be able to receive a bounty of $ 7000 (about 1 million yen) as a reward for bug reporting.