A troubling issue where those using macOS and iOS devices can have their Siri conversations spied on and recorded by a malicious third party under certain circumstances has thankfully been fixed by Apple.
This was a serious flaw that affected Mac and iPhone or iPad owners, and it was discovered by application developer Guilherme Rambo, as Apple Insider (opens in new tab) reports. Rambo found that any app with Bluetooth access could exploit the security hole and spy on the user’s Siri exchanges when using AirPods or a Beats headset (with Bluetooth connections).
Rambo explain (opens in new tab): “Finding out that I could get audio from AirPods without asking permission to use the microphone on macOS was the first step.”
The developer performed the same tricks on the iPhone and iPad, receiving audio of the user’s conversations (which the developer thought could be encrypted, but turned out not to be).
Fundamentally, this flaw can be exploited by any software with Bluetooth permission granted, and it does so without prompting to access the microphone or any other clues to suggest to the user that something untoward might be going on.
Rambo informed Apple about the issue on August 26, when the company began an investigation process, later implementing a fix (for the CVE-2022-32946 vulnerability) in the newcomer iOS 16.1 (and the latest version of macOS) .
Analysis: Bug eliminated and reward received
It’s good news that this issue was fixed before it became common knowledge, of course, but we have no idea whether the exploit could actually have been taken advantage of by a hacker anywhere so far. I hope not, and at least someone on the light side of the security fence has brought it to Apple’s attention to have the fix rolled out.
This is obviously a good reason to get the latest update for iOS and macOS, and bugs like these resolved are exactly why you should ensure updates are applied in a timely manner.
It’s not necessarily worth jumping on any update within hours of release – early adopters may be testing the waters for unexpected issues that are introduced, of course – but you shouldn’t wait too long before applying security updates in particular.
Rambo received $7,000 (US) for reporting the bug to Apple and, as seen in twitter (opens in new tab), there are some who think this is a bit petty – noting that this is the reason why people sometimes go elsewhere with this type of finding, rather than directly to the affected company. A troubling thought to end in…