Hey Siri, Get My Coffee, Hold the Malware

With Apple’s introduction of iOS 12 for all their supported mobile devices came a powerful new utility for automation of common tasks called Siri Shortcuts. This new feature can be enabled via third-party developers in their apps, or custom built by users downloading the shortcuts app from the app store. Once downloaded and installed, the Shortcuts app grants the power of scripting to perform complex tasks on users’ personal devices.

But accessing the phone from Siri Shortcuts also presents some potential security risks that were discovered by X-Force IRIS and reported to Apple’s security team. This post gives some insight into potential attack scenarios using Shortcuts and reminds users that keeping a tight lid on app permissions is a critical step to upping security on devices and the way we use them.

Shortcuts Make Life Easier, Right?

Want to turn all your lights to disco, play your favorite soundtrack, and text your friends to come over? Or maybe perform complex mathematical computations with a single voice command? Siri Shortcuts can help do that and facilitate much more in user interaction with their devices, directly from the lock screen or via existing apps they use. These shortcuts can also be shared between users, using the app itself via iCloud, which means they can be passed around rather easily.

Beyond users wishing to automate daily activities, app developers can create shortcuts and present them to their user base from within their apps. The shortcut can then appear on the lock screen or in ‘search’ when it is deemed appropriate to show it to the user based on time, location and context. For example, a user approaches their usual coffee shop, and the relevant app pops up a shortcut on the screen to allow them to order the usual cup of java and pay for it on the app before they even enter the coffee shop.

These shortcuts are a nifty addition to Siri’s functionality, but while allowing extended functionality and personalization of the use of Siri, there are some less favorable scenarios to consider.

Siri Shortcuts Can Also Be Abused by Attackers

Siri Shortcuts can be a useful tool for both users and app developers who wish to enhance the level of interaction users have with their apps. But this access can potentially also be abused by malicious third parties. According to X-Force IRIS research, there are security concerns that should be taken into consideration in using Siri Shortcuts.

Siri Demanding Ransom?

Using Siri for malicious purposes, Shortcuts could be created for scareware, a pseudo ransom campaign to try to scare victims into paying a criminal by making them believe their data is in the hands of a remote attacker.

Using native shortcut functionality, a script could be created to speak the ransom demands to the device’s owner by using Siri’s voice. To lend more credibility to the scheme, attackers can automate data collection from the device and have it send back the user’s current physical address, IP address, contents of the clipboard, stored pictures/videos, contact information and more. This data can be displayed to the user to convince them that an attacker can make use of it unless they pay a ransom.

To move the user to the ransom payment stage, the shortcut could automatically access the Internet, browsing to a URL that contains payment information via cryptocurrency wallets, and demand that the user pay-up or see their data deleted, or exposed on the Internet.

The More the Merrier

To add to this scenario, the malicious shortcut can also be configured to spread to other devices by messaging everyone on the victim’s contact list, prompting them to download and install the same shortcut. This would be a cost effective and hard to detect distribution method, coming from a trusted contact.

In a video we created we show how native functionality can be used to make convincing ransom threats to someone running a malicious Siri Shortcut.

Pay attention to the following steps taking place in the video:

  1. The shortcut is configured to gather personal data from the device:
  • It can collect photos from the camera roll.
  • Grab the contents of the clipboard.
  • Get the physical address of the device’s location.
  • Find the external IP address.
  • Get the device’s model.
  • Get the device’s current mobile carrier
  1. The Siri Shortcut can message the information to an external party; this data can also be sent over SSH to the attacker’s server using native functionality.
  2. The Shortcut can set the brightness and volume of the device to 100%
  3. It can turn the device’s flashlight on and off while vibrating at the same time to get the user’s attention and make them believe their device has been taken over.
  4. The Shortcut can be made to speak a ransom note which can include convincing personal details to make the user believe the attacker. For example, it can indicate the IP address and physical address of the person and demand payment.
  5. The Shortcut can be further programmed to then display the spoken note in a written alert format on the device.
  6. To nudge the user to pay up, the Shortcut can be configured to open a webpage, accessing a URL that contains payment information to a cryptocurrency wallet, or a phishing page demanding payment card/account information[1].
  7. To spread around, and since Siri Shortcuts can be shared among users, the malicious Shortcut could also send a link to everyone in the user’s contact list giving it a “worm like” capability[2] that’s easy to deploy but harder to detect.

[1] Not shown in this video

[2] Not shown in this video

Not Only Ransom

In our security research labs, we tested the ransom attack scenario. The shortcut we created was named “Ransom” in the video, but it could easily be named any other name to entice users to run it. Lures, such as game cheats/hacking, unlocking secret functionality in apps, or getting free money, often entice users to tap on a shortcut and see where it leads.

From our researchers’ experience, users may fall prey to social engineering and end up installing and running malicious code or apps on their devices.

Using Siri Shortcuts More Safely

Siri Shortcuts has its merits and some security concerns to be aware of. Yet, it is possible to use this functionality in a safer manner.

  1. Never install a Shortcut from an untrusted source.
  2. Check the permissions that the shortcut is requesting and never give permission to portions of your phone you are not comfortable with. Things like photos, location and camera could be used to obtain sensitive information.

Siri Shortcut on iOS12

  1. Use the show actions button before installing a third-party shortcut to see the underlying actions the shortcut might take. Look for things like messaging data to numbers you don’t recognize, emailing data out, or making SSH server connections to servers.

Checking permissions for Siri Shortcut

Apple Controls Centralized Patch Control

Siri Shortcuts is a native feature of iOS12; however, in order to utilize custom shortcuts, one must download the Shortcuts app from Apple’s app store. This gives Apple the ability to patch/update the functionality of the Shortcuts app without having to update the entire OS version.

Users Should Be Very Selective with App Permissions

It’s also important to note that using the shortcuts is designed for, and therefore requires, a lot of user interaction. First, users must download and install the shortcut from a shared source, and then manually tap it to run. Users must also grant access to photos, contacts or any sensitive data the shortcut wants access too.

A sharp reminder to validate anything you install on your mobile device as Shortcuts allows you to see everything the script is capable of before installing. As tempting as it might be to just scroll past that text and hit accept, users must be more aware of good security practices, which includes reading and understanding anything they authorize to run on their device.

John Kuhn

Senior Threat Researcher, IBM

John Kuhn, Senior Threat Researcher, IBM Managed Security Services – John spends his days monitoring client networks...