IBM Discovers Malicious Use of Apple Siri Shortcuts App

In iOS 12, Apple implemented the use of Shortcuts App into its voice assistant Siri. These shortcuts are designed to help users access applications and features so they can automate popular tasks. These shortcuts can also be integrated by third-party developers in their software. However, IBM has discovered that these shortcuts could be abused by hackers.

IBM Research

In research conducted by IBM Managed Security Services, they found that Siri shortcuts can be hacked. They can then be used by hackers to perform malicious activities.

In the analysis published by IBM, they state: “This new feature can be enabled via third-party developers in their apps, or custom built by users downloading the shortcuts app from the store. Once downloaded, and installed, the shortcuts app grants the power of scripting to perform complex tasks on user’s personal devices.”

They went on to say that this access can also present some potential security risks. These risks were discovered by the X-Force IRIS team and reported to Apple’s security team.

Shortcuts

The Shortcuts app is designed to improve interactions between the device and the user. One way it does this is to implement access to the device directly from the lock screen.

Users are also able to share Shortcuts from the app via the iCloud to other users.

As an example, if a user is approaching their favourite store, an app can pop up to show them the latest deals, or help them pay for an item in the store.

IBM Concerns

The experts at IBM have explained that the new feature could also be used to create malicious actions such as scareware. This is a ransom campaign designed to scare users into thinking a hacker has stolen their data from their phone.

IBM believes that using the shortcuts, a hacker could use Siri voice to make the demands, and then direct the user to a website on the phone to pay the ransom.

Experts have suggested that users never install the Shortcuts app from an unknown source and that they check the permissions.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients