Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Malicious Hackers Can Abuse Siri Shortcuts: IBM

The Siri Shortcuts that Apple introduced in iOS 12 can be abused by attackers for malicious purposes, IBM’s security researchers have discovered.

The Siri Shortcuts that Apple introduced in iOS 12 can be abused by attackers for malicious purposes, IBM’s security researchers have discovered.

Siri Shortcuts, meant to provide users with faster access to applications and features, automate common tasks and can either be enabled by third-party developers in their apps or custom-designed by users who download the shortcuts app from the App Store.

Once up and running on a user’s device, the application can perform complex tasks, which presents potential security risks, John Kuhn, senior threat researcher at IBM Managed Security Services, explains in a blog post.

Siri Shortcuts can facilitate a broad range of interactions between users and their devices, either directly from the lock screen or through existing apps. What’s more, users can share these Shortcuts from the app itself via iCloud.

Developers can create Shortcuts and present them to users from within their apps, and the shortcuts can appear on the lock screen or in ‘search’, based on time, location and context.

According to IBM’s security researchers, Shortcuts could be created for malicious purposes, such as scareware, a pseudo-ransom attack in which cybercriminals scare victims into paying by leading them to believe that their data has been compromised.

“Using native shortcut functionality, a script could be created to speak the ransom demands to the device’s owner by using Siri’s voice,” Kuhn says.

An attacker could automate data collection from the device (current physical address, IP address, contents of the clipboard, stored pictures/videos, contact information and more), and then have the data displayed to the user to convince them that the attacker can use the data.

Advertisement. Scroll to continue reading.

“To move the user to the ransom payment stage, the shortcut could automatically access the Internet, browsing to a URL that contains payment information via cryptocurrency wallets, and demand that the user pay-up or see their data deleted, or exposed on the Internet,” the researcher continues.

What’s more, the attacker could configure the malicious Shortcut to spread to the victim’s contact list, prompting them to download and install the same Shortcut. With the message coming from a trusted contact, the attack is likely to succeed.

The researchers published a video demonstrating how a Shortcut can change the device’s brightness and volume, turn the flashlight on and off while vibrating at the same time, can speak a ransom note that includes convincing personal details, can display the spoken note in a written alert, and access the URL of a page containing payment information, in addition to spreading via messages to users’ contacts.

“In our security research labs, we tested the ransom attack scenario. The shortcut we created was named ‘Ransom’ in the video, but it could easily be named any other name to entice users to run it. Lures, such as game cheats/hacking, unlocking secret functionality in apps, or getting free money, often entice users to tap on a shortcut and see where it leads,” Kuhn says.

The researcher also points out that users are likely to fall for social engineering and then install the malicious code on their devices. Thus, they are advised to never install a Shortcut from an untrusted source, and to check the permissions that the Shortcut is requesting and the underlying actions the shortcut might take.

Related: New York Investigating Apple’s Response to FaceTime Spying Bug

Related: Apple Patches Dozens of Vulnerabilities in iOS, macOS

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.