Friday, November 4, 2022

SiriSpy Bug

Guilherme Rambo (tweet, Hacker News):

Any app with access to Bluetooth could record your conversations with Siri and audio from the iOS keyboard dictation feature when using AirPods or Beats headsets. This would happen without the app requesting microphone access permission and without the app leaving any trace that it was listening to the microphone.


Knowing that the drop in output quality when using the microphone is a physical limitation of the Bluetooth standards used by AirPods and other similar headsets, how talk to Siri had been implemented on AirPods without disrupting audio quality had always been a bit of a mystery to me[…] I noticed that the AirPods included a service with the UUID 9bd708d7-64c7-4e9f-9ded-f6b6c4551967, and with characteristics that supported notifications. […] As soon as I did that, a firehose of hex bytes started to stream down my Terminal window.


You can probably see where this is going: BTLEServerAgent did not have any entitlement checks or TCC prompts in place for its service, so any process on the system could connect to it, send requests, and receive audio frames from AirPods.


I was told I’ll be receiving a US$7000 bug bounty payment for reporting these issues

I think he deserves a lot more.


Update (2022-11-30): Guilherme Rambo (tweet):

The original version of this article mentioned a bug bounty payment of US$7000. However, this was due to an issue with the way Apple’s security team had communicated about the bounty. They broke down the two vulnerabilities discovered into separate CVEs, one of which was awarded a bounty of US$7000, while the other one was awarded US$22500. So the total bounty payment for the bugs described in this report was of US$29500. Apple’s security team apologized for the confusion, and has since released a new web platform for bug submissions, which should make this a lot better going forward.

2 Comments RSS · Twitter

Apple seems to be extremely 'weasely' in their bug bounty payouts.

This seems to clearly meet the description of

"$50,000: Partial app access to sensitive data normally protected by a TCC prompt. As an example, you demonstrated that an iOS app is able to programmatically access all photos without accepting a TCC prompt."

In that - this is clearly sensitive data which =absolutely should= have been protected.

Instead, because they didn't bother to protect it (and that's what this bug bounty identifies), then seem to be paying out at the level for non-sensitive data

"$5,000: Predictable enumeration of all apps. As an example, you demonstrated that an iOS app is able to enumerate all installed apps."

Pretty chintzy for a "trillion-dollar company."

Leave a Comment