Security researcher Guilherme Rambo has discovered a flaw in Apple’s Bluetooth security, allowing any iOS app with Bluetooth access to eavesdrop on the user’s conversations with Siri.
To make matters worse, the breach wouldn’t be evident to the user as the app wouldn’t need to request microphone access to perform the eavesdropping, nor would it leave any apparent traces of malicious activity behind.
The only prerequisite for this attack was for the target to use AirPods or Beats headsets, which are pretty common for iPhone users.
The privacy repercussions arising from this problem depend on what conversations people have with Siri and how exposing they are to their identity, location, personal preferences, habits, etc.
Listening to AirPods
AirPods 2nd gen and later can invoke Siri with a simple voice command, effectively starting a special DoAP service used for Siri and Dictation support.
The researcher deployed a Bluetooth sniffer that can connect to BLE devices and query their GATT database, to capture data exchanges from the AirPods to the iPhone and vice versa.
The tool logged a stream of bytes when the Siri DoAP service was activated, which is when the user invokes the assistant with “Hey Siri”.
The stream of data from the DoAP audio was encoded with the Opus codec to make transmissions suitable for BLE, so to hear user conversations, Rambo just needed to reverse the encoding and get clear audio.
Finally, the researcher created an app requesting iOS for Bluetooth permission, connecting to the AirPods