Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Researchers hack Siri from 16 feet away (businessinsider.com)
42 points by dosapati on Oct 14, 2015 | hide | past | favorite | 18 comments


Interesting inducing audio on the wire of a connected pair of headphones. (lousy shielding, coax wouldn't work but nobody seems to have coax headphone cables at the low end :-)

I've always wondered what would happen if broadcast "Ok Google, call 555-1212, ok" over a loudspeaker in a crowded shopping mall. How many people's phones would simply obey?


Wasn't there actually a radio ad which just did that?

edit: found it http://www.cultofmac.com/328705/toyota-radio-ad-shuts-down-i...


I've found that my iPhone does a fairly decent job of discerning my voice in a noisy environment. I suspect that there is lots of clever use of noise cancelling mics to distinguish between a nearby voice issuing commands (mine), and noise in the environment.

It would be an interesting experiment.


A few weeks ago I was in a meeting and Siri blurted out "Sorry I didn't get that". I've never had "hey Siri" activated (I immediately verified) and nothing was plugged into my iPhone 5. Rather disconcerting.


It will activate if you hold down the home button, something that can easily happen accidentally when your phone is in your pocket or otherwise squashed against something.

Mine activated the other day in that manner and my three year old looked around wildly, then said "Was that the robot lady?!"


It was sitting face-up on a table. Other than the possibility of a flaky home button, I'm chalking this one up to the NSA. :)


Happens to me quite often if I accidentally have something in my pocket which presses down the Home button of the iPhone for a few seconds.


There's a few things that seem key to this: Leaving "hey siri" and "ok google" on at all times, requires relatively noise free environment. Also, with the always on feature, you need to properly address one's phone. Simply changing Siri to "Stupidhead" would render the always on attack moot.

It's interesting but without direct access, there's only minimal information to be gleaned as commanding Siri to look up the most recent call would only allow the attack to see the most recent call with a direct LOS.

Also, this recap can be skipped by going to the original wired article: http://www.wired.com/2015/10/this-radio-trick-silently-hacks...


Siri can't be renamed to stupidhead or anything else for that matter, but the always listening feature can be disabled.


I stand corrected, I assumed that you could as you can rename what Siri calls you. Learn something new every day.


This was presented at SSTIC 2015.

paper (in french): https://www.sstic.org/media/SSTIC2015/SSTIC-actes/injection_... video (in french): http://static.sstic.org/videos2015/SSTIC_2015-06-03_P09_AGRE...


As presented, people are only vulnerable if they:

- Allow Siri from the lock screen

- Have headphones plugged in (presumably Apple's)

- Are not using their device or have their headphones in (otherwise the attack would be detected immediately) OR:

- Have audible feedback from Siri disabled

P.S. Link to source article: http://www.wired.com/2015/10/this-radio-trick-silently-hacks...

Original research publication: http://ieeexplore.ieee.org/xpl/articleDetails.jsp?reload=tru...


> - Allow Siri from the lock screen

Lots of people use 'Hey Siri', myself included.

> - Have headphones plugged in (presumably Apple's)

Not that unlikely.

> - Are not using their device or have their headphones in (otherwise the attack would be detected immediately) OR:

> - Have audible feedback from Siri disabled

These would be the killers. The moment Siri's activated you'd hear it loudly in your ears.


Does "Hey Siri" work when unpugged? My 30 seconds of Google seemed to show that it needed to be plugged in.


On the new iPhone 6S, it does not need to be plugged in.

> The integrated M9 works so efficiently and intelligently that Siri is always on and waiting for your voice commands. You can easily activate Siri by saying “Hey Siri” whenever your iPhone 6s is nearby.

(Taken from http://www.apple.com/uk/iphone-6s/technology/)


So what? You know your phone visited a website, but if that site had a zero-day, would it matter?


Generally the result is not immediate. The speed of your network and Siri's delay you should have a second or two to interrupt the attack.


Or the example from the article, calling a paid number.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: