The latest updates for iOS and macOS have fixed a serious security flaw that could allow apps with Bluetooth access to record conversations with Siri.
An app was able to record a person's conversations with Siri and the audio of iOS keyboard dictation when using AirPods or a Beats headset. This was done without the app needing access to the microphone or showing that it was using the microphone. Developer Guilherme Rambo found and reported it to Apple on August 26. Apple has fixed the vulnerability, which was database listed as CVE-2022-32946, was patched on October 24 with iOS 16.1 and macOS Ventura.
SiriSpy
Rambo was initially surprised by the audio quality of the AirPods when using Siri, saying that there was no loss of quality when using the microphone. However, video conferencing, for example, usually results in a drop in quality. He investigated the issue using the command-line tool "bleutil," which he developed. Specifically, Rambo can use the tool to interact with Bluetooth Low Energy devices on macOS. During testing, the developer discovered that the tool intercepted audio data from the AirPods while he was using Siri and that it did not require microphone permission from the system. So, at the end of August, he wrote an app for iPhone, iPad, Apple Watch, and Apple TV, which run on both iOS 15 and the latest iOS 16 beta. The app tested the vulnerability, and Rambo discovered that an app with Bluetooth permission could record the user in the background without requesting permission.
How you can protect yourself
In Control Center, only "Siri & Dictation" was displayed as the running feature instead of the app. In this case, the only way to protect conversations on iPhones and Macs is to update to the latest software, i.e., iOS 16.1, iPadOS 16.1, and macOS Ventura. Updating is the best and most common advice in the world of security. Updates for apps and operating systems almost always contain fixes for security vulnerabilities found in older software versions. (Photo by Unsplash / Omid Armin)
