Without even asking for permissions, the newly discovered 'SiriSpy' flaw in Apple's iOS Bluetooth access could allow someone to access user interactions with Siri and keyboard-dictation audio.

Dark Reading Staff, Dark Reading

October 27, 2022

1 Min Read
Apple products including AirPods, iPhone and Apple Watch stacked neatly on white background
Source: Volodymyr Kalyniuk via Alamy

For anyone who thought their conversations with Siri were sacred and keyboard dictation recordings were secure, a new analysis found a flaw in the iOS Bluetooth that could allow someone to grab audio from both. 

The find is from researcher Guilherme Rambo, who published details of an Apple iOS flaw he calls "SiriSpy," tracked under CVE-2022-32946. It would let a malicious app that a user has been convinced to install eavesdrop on audio interactions with iPhones.

"Any app with access to Bluetooth could record your conversations with Siri and audio from the iOS keyboard dictation feature when using AirPods or Beats headsets," Rambo wrote. "This would happen without the app requesting microphone access permission, and without the app leaving any trace that it was listening to the microphone." 

Rambo explained he regularly does cybersecurity research on AirPods, leading him to the find. 

After alerting Apple to the vulnerability in late August, Rambo said on Oct. 24 that iOS 16.1, along with all of the other remaining Apple operating systems, were updated with a fix. Making the find even sweeter, Rambo added he's been told by Apple he will receive a $7,000 bug bounty for his efforts. 

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights