{"id":37570,"date":"2022-11-04T17:34:34","date_gmt":"2022-11-04T21:34:34","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=37570"},"modified":"2023-12-06T14:20:45","modified_gmt":"2023-12-06T19:20:45","slug":"sirispy-bug","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2022\/11\/04\/sirispy-bug\/","title":{"rendered":"SiriSpy Bug"},"content":{"rendered":"

Guilherme Rambo<\/a> (tweet<\/a>, Hacker News<\/a>):<\/p>\n

\n

Any app with access to Bluetooth could record your conversations with Siri and audio from the iOS keyboard dictation feature when using AirPods or Beats headsets. This would happen without the app requesting microphone access permission and without the app leaving any trace that it was listening to the microphone.<\/p>\n

[…]<\/p>\n

Knowing that the drop in output quality when using the microphone is a physical limitation of the Bluetooth standards used by AirPods and other similar headsets, how talk to Siri had been implemented on AirPods without disrupting audio quality had always been a bit of a mystery to me[…] I noticed that the AirPods included a service with the UUID 9bd708d7-64c7-4e9f-9ded-f6b6c4551967, and with characteristics that supported notifications. […] As soon as I did that, a firehose of hex bytes started to stream down my Terminal window.<\/p>\n

[…]<\/p>\n

You can probably see where this is going<\/a>: BTLEServerAgent<\/code> did not have any entitlement checks or TCC prompts in place for its com.apple.BTLEAudioController.xpc<\/code> service, so any process on the system could connect to it, send requests, and receive audio frames from AirPods.<\/p>\n

[…]<\/p>\n

I was told I’ll be receiving a US$7000 bug bounty payment for reporting these issues<\/p>\n<\/blockquote>\n

I think he deserves a lot more.<\/p>\n\n

Previously:<\/p>\n