A now-patched security flaw in Apple’s iOS and macOS operating systems could have potentially enabled apps with Bluetooth access to eavesdrop on conversations with Siri.
Apple said “an app may be able to record audio using a pair of connected AirPods,” adding it addressed the Core Bluetooth issue in iOS 16.1 with improved entitlements.
Credited with discovering and reporting the bug in August 2022 is app developer Guilherme Rambo. The bug, dubbed SiriSpy, has been assigned the identifier CVE-2022-32946.
“Any app with access to Bluetooth could record your conversations with Siri and audio from the iOS keyboard dictation feature when using AirPods or Beats headsets,” Rambo said in a write-up.
“This would happen without the app requesting microphone access permission and without the app leaving any trace that it was listening to the microphone.”
The vulnerability, according to Rambo, relates to a service called DoAP that’s included in AirPods for Siri and Dictation support, thereby enabling a malicious actor to craft an app that could be connected to the AirPods via Bluetooth and record the audio in the background.
This is compounded by the fact that “there’s no request to access the microphone, and the indication in Control Center only lists ‘Siri & Dictation,’ not the app that was bypassing the microphone permission by talking directly to the AirPods over Bluetooth LE.”
While the attack requires that the app has access to Bluetooth, this restriction can be trivially bypassed as users granting Bluetooth access to the app are unlikely to expect that it could also open the door to accessing their conversations with Siri and audio from dictation.
On macOS, however, the exploit could be abused to achieve a total bypass of the Transparency, Consent and Control (TCC) security framework, meaning any app can record conversations with Siri without requesting for any permissions in the first place.
Rambo said the reason for this behavior is owing to the lack of entitlement checks for BTLEServerAgent, the daemon service responsible for handling DoAP audio.
A software patch remediating this flaw is available for iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later. It has also been resolved in all supported versions of macOS.
The iOS 16.1 update, which was released on October 24, 2022, comes with fixes for a total of 20 flaws, including a Kernel vulnerability (CVE-2022-42827) that it disclosed as being actively exploited in the wild.