Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
eWEEK.com
Search
eWEEK.com
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Apple
    • Apple
    • Cybersecurity

    IBM Warns of Apple Siri Shortcut Scareware Risk

    By
    SEAN MICHAEL KERNER
    -
    January 31, 2019
    Share
    Facebook
    Twitter
    Linkedin
      Evil Siri Shortcut

      Apple’s Siri voice assistant is intended to help users, but according to new research published by IBM on Jan. 31, attackers could potentially abuse the Siri Shortcuts feature.

      Apple introduced Siri Shortcuts with iOS 12, enabling users and developers to use Siri to automate a series of tasks. IBM’s X-Force security division discovered that it is possible to use a Siri Shortcut for malicious purposes, including tricking a user into paying a fee to avoid having his or her information stolen in an attack known as scareware. In a proof-of-concept Siri Shortcuts scareware attack developed by IBM, a malicious shortcut is able to read information from an iOS device and then demand a fee from the user, all with the native Siri voice.

      “IBM X-Force has not seen evidence of attacks carried out using this method, but we developed the proof of concept to warn users of the potential dangers,” John Kuhn, senior security threat researcher for IBM X-Force IRIS, told eWEEK.

      The IBM disclosure of the Siri Shortcuts risk comes during a particularly challenging week for Apple as the company struggles to deal with a critical FaceTime vulnerability that could enable an attacker to eavesdrop on an unsuspecting user. Unlike the FaceTime vulnerability, however, the Siri Shortcuts issue is not an explicit vulnerability in Apple’s technology.

      “IBM X-Force conducted all of the research using native functionality of the Shortcuts app, so no exploitation of vulnerabilities was needed,” Kuhn said. “We highly suggest that every user reviews Shortcuts before adding them to their devices.”

      Kuhn added that IBM worked with Apple since the initial research discovery to share all the details.

      How It Works

      Siri Shortcuts provides powerful capabilities to users and developers. IBM’s concern is that a hacker could abuse that power and trick a user with scareware. There is also the potential, according to IBM, for a Siri Shortcut to be configured to spread to other devices by messaging everyone on the victim’s contact list, expanding the impact of an attack.

      “Siri Shortcuts gives native capability to potentially send messages to contacts if the appropriate permissions are enabled,” Kuhn said. “In theory, this could be manipulated by an attacker to spread a link to other contacts.”

      There are, however, several caveats before a Siri Shortcut attack can spread. Kuhn noted that such an attack would require each user to install and run the Shortcut, which is more reminiscent of malware that uses email to propagate. The Siri Shortcut risk is also not a “drive-by” risk—that is, it isn’t something that a user can get simply by visiting a malicious site. The user must install the Siri Shortcuts app as well as the malicious shortcut, he said. However, he noted that attackers could easily entice users to do so by socially engineering the intended victim. 

      “This tactic is commonly used by attackers to get victims to install malware via email phishing attempts,” Kuhn said. “Basically, the attacker needs to offer anything enticing enough to get the user to comply with installing an otherwise suspect piece of software.”

       In terms of what data Siri Shortcuts is able to access and then send to an attacker, there are limits in place by default.

      “Siri Shortcuts does allow access to some system files on the phone. However, it does not allow access files with PII [personally identifiable information] as far as our research has determined,” Kuhn said. “Siri Shortcuts does have native functionality to give the victim’s physical address, IP address, photos, videos and more.”

      So what should Apple users do? IBM suggests that users be careful when downloading third-party Siri Shortcuts and only install from a trusted source. IBM also suggests that users be mindful when running a Siri Shortcut and only enable actions that are needed.

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      CHRIS PREIMESBERGER - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      CHRIS PREIMESBERGER - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      EWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      ZEUS KERRAVALA - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      WAYNE RASH - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Info

      © 2020 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×