IBM Warns of Apple Siri Shortcut Scareware Risk

"Hey Siri" is supposed to be a voice command that enables Apple's digital assistant, but in the wrong hands the new Siri Shortcuts feature could potentially be abused by an attacker.

Evil Siri Shortcut

Apple's Siri voice assistant is intended to help users, but according to new research published by IBM on Jan. 31, attackers could potentially abuse the Siri Shortcuts feature.

Apple introduced Siri Shortcuts with iOS 12, enabling users and developers to use Siri to automate a series of tasks. IBM's X-Force security division discovered that it is possible to use a Siri Shortcut for malicious purposes, including tricking a user into paying a fee to avoid having his or her information stolen in an attack known as scareware. In a proof-of-concept Siri Shortcuts scareware attack developed by IBM, a malicious shortcut is able to read information from an iOS device and then demand a fee from the user, all with the native Siri voice.

"IBM X-Force has not seen evidence of attacks carried out using this method, but we developed the proof of concept to warn users of the potential dangers," John Kuhn, senior security threat researcher for IBM X-Force IRIS, told eWEEK.

The IBM disclosure of the Siri Shortcuts risk comes during a particularly challenging week for Apple as the company struggles to deal with a critical FaceTime vulnerability that could enable an attacker to eavesdrop on an unsuspecting user. Unlike the FaceTime vulnerability, however, the Siri Shortcuts issue is not an explicit vulnerability in Apple's technology.

"IBM X-Force conducted all of the research using native functionality of the Shortcuts app, so no exploitation of vulnerabilities was needed," Kuhn said. "We highly suggest that every user reviews Shortcuts before adding them to their devices."

Kuhn added that IBM worked with Apple since the initial research discovery to share all the details.

How It Works

Siri Shortcuts provides powerful capabilities to users and developers. IBM's concern is that a hacker could abuse that power and trick a user with scareware. There is also the potential, according to IBM, for a Siri Shortcut to be configured to spread to other devices by messaging everyone on the victim’s contact list, expanding the impact of an attack.

"Siri Shortcuts gives native capability to potentially send messages to contacts if the appropriate permissions are enabled," Kuhn said. "In theory, this could be manipulated by an attacker to spread a link to other contacts."

There are, however, several caveats before a Siri Shortcut attack can spread. Kuhn noted that such an attack would require each user to install and run the Shortcut, which is more reminiscent of malware that uses email to propagate. The Siri Shortcut risk is also not a "drive-by" risk—that is, it isn't something that a user can get simply by visiting a malicious site. The user must install the Siri Shortcuts app as well as the malicious shortcut, he said. However, he noted that attackers could easily entice users to do so by socially engineering the intended victim. 

"This tactic is commonly used by attackers to get victims to install malware via email phishing attempts," Kuhn said. "Basically, the attacker needs to offer anything enticing enough to get the user to comply with installing an otherwise suspect piece of software."

 In terms of what data Siri Shortcuts is able to access and then send to an attacker, there are limits in place by default.

"Siri Shortcuts does allow access to some system files on the phone. However, it does not allow access files with PII [personally identifiable information] as far as our research has determined," Kuhn said. "Siri Shortcuts does have native functionality to give the victim's physical address, IP address, photos, videos and more."

So what should Apple users do? IBM suggests that users be careful when downloading third-party Siri Shortcuts and only install from a trusted source. IBM also suggests that users be mindful when running a Siri Shortcut and only enable actions that are needed.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.