They potentially can; commercial firewalls can man-in-the-middle HTTPS traffic with a locally signed and organization-computer-trusted SSL certificate.
Would this still affect the iPhone 4S though? If I understand this all correctly, I think that corporate IT would have to install the self-signed root cert on your phone for Siri to be MITM'd. There's no reason for your phone to trust it otherwise.
Unfortunately, Siri does not use the system wide proxy. At least it does not on my iPhone. I tried intercepting the traffic with sshmitm which did work for all other iOS services (e.g. game center) but not for Siri. I'm wondering how these guys sniffed the traffic.
When the proxy failed, they "ressorted (sic) to using tcpdump on a network gateway". They eventually had to "setup a custom SSL certification authority, add it to our iPhone 4S, and use it to sign our very own certificate"
I have read that, but they used tcpdump only to detect what kind of traffic Siri sends after failing to use a normal HTTP proxy. Setting up a custom SSL certification authority is exactly what sshmitm does - but it does not (yet) support transparent proxying. Somehow they have redirected traffic for guzzoni.apple.com to a fake server that acts as a man in the middle (probably simply by using their own DNS), but what I wanted to know is what software they used to fake that server.
They did mention using their own DNS: "In that case, the simplest solution is to fake an HTTPS server, use a fake DNS server, and see what the incoming requests are."
It's possible to do transparent proxying using iptables on Linux. Also, as ahlatimer mentioned, pointing the phone at your local DNS server and adding records for all the relevant domains would work, too.
