I think they burried the lede here. Conversations with Siri are probably pretty generic but being able to evesdrop on keyboard dictation is pretty severe. I know people that use dictation for the majority of their text messages and email.
> I know people that use dictation for the majority of their text messages and email.
Yeah, I'm one of them. The iOS keyboard has slowly become so bad that it's easier to dictate instead, and my partner does the same while driving via CarPlay. This is horrible to read about.
Even worse, it looks like on MacOS you can just straight up start recording on-demand, no need for dictation or siri.
> Even worse, this particular exploit would also allow the app to request DoAP audio on-demand, bypassing the need to wait for the user to talk to Siri or use dictation.
>I think they burried the lede here. Conversations with Siri are probably pretty generic but being able to evesdrop on keyboard dictation is pretty severe. I know people that use dictation for the majority of their text messages and email.
I agree with your take!!
If you scroll to the "Full TCC Bypass on macOS" portion, you can see that this bug allows folks to turn on an Airpod and direct that audio to a macOS device. This could enable what is known as a Tempest Attack[0,1]
>BTLEServerAgent did not have any entitlement checks or TCC prompts in place for its com.apple.BTLEAudioController.xpc service, so any process on the system could connect to it, send requests, and receive audio frames from AirPods. This exploit would only work on macOS, because the more restricted sandbox of iOS prevents apps from accessing most global mach services directly.
Stuff like that are why I hate Bluetooth in general, and I'm on the fence if either my laptop OR phone will be Apple products when I replace them.
(They seem to cater to people who replace their devices every year and camp out outside the Apple store for new Apple stuff like nerds rather than the folks who didn't want to spend every weekend messing with kernel drivers and thus adopted what I will continue to refer to as "shiny BSD" even though they long since changed the name from OSX to macOS.)
> Can physical microphones be removed from Apple devices by a repair shop, while still allowing use of wired/wireless headsets?
Yes, this is what I do. The mike is actually still in the laptop but it's disconnected from the motherboard. On a 2021 M1 Macbook pro all you need to do is pop off the back cover and disconnect one cable on the right side of the motherboard. All in all takes about 10 minutes of work.
"iOS bug allowed apps to eavesdrop on your conversations with Siri" should be "iOS bug allowed apps to eavesdrop on your interactions with Siri and dictation over bluetooth"
Is there actually people using siri? It’s pretty useless here in Italy. Most conversations I guess could be something like “raise the volume” “call mom” or stuff like that.
I'm an avid iPhone user but have never had the need or the desire to use Siri.
I suggest people do what I do, load a profile that disables Siri - easily created using the Apple Configurator tool (under "Restrictions" untick "Allow Siri").
N.B. I've never looked closely under Settings on the phone itself, there may well be Siri off option there ? But I just load profiles as I find its easier for hardening.
The BLE peripheral (AirPods) have to be connected and paired. Then, this connected device was “explorable” via other apps on the same device because the actual connection is maintained by the middleware/OS… e.g. an app may disconnect from a peripheral but it’s only a request, and the OS will only truly disconnect if all apps are “disconnected.”
Not just insulting to the dev, but to users as well. Any app on my Mac being able to eavesdrop at all times when wearing AirPods is "worth" just $7k to Apple?
I'm reminded about the Apple Music passage in the After Steve book, where Apple tried to fuck over musicians just because they thought they could get away with it (zero royalty payments during Apple Music trials, so the trial was 100% subsidized by labels and artists), before walking it back. The executives are clearly far more concerned with bad PR, and not guided by values or principles.
There's really no basis for this beyond its reflexive repetition on messageboards. You might as well type 'million dollar logout CSRF' in every vulnerability report thread.
Is anyone else an avid iPhone user, yet also someone who never uses Siri? I've used an iPhone exclusively for the past 8 years, and I can count on one hand the number of times I've used Siri. Interestingly, the one person I know who loves using Siri is my 70yr old dad.
I use Siri to set a timer. That's it. And I do it by holding my power button to activate her.
My only other use of Siri usually involved phrases like "stop", "go away", "close", "fucking close!", "you stupid fcking * ** close the **** thing" when Siri would pop up out of nowhere and interrupt whatever I was actually doing. I had it turned off, but occasionally somehow it's back on, listening.
Other actual attempts at using it have been no better than 50% effective, so it wasn't worth the trouble. And I was speaking very clearly and articulately.
I've observed a friend (a Googler who had Google-fied his house) have frequent useless conversations with the Google assistant, so maybe 50% is the best you can hope for. No experience with Alexa, but I'd be too scared to even turn it on; I might end up with three refrigerators delivered the next day.
I use Siri all the time and am half your dads age.
“Get directions to the nearest gas station.”, “What’s the score of the Giant’s game?”, “Play Master of Puppets”, “What is 4’3” in centimeters?” And many, many more.
You are not alone. I've been using an iPhone for over a decade now. I've had Siri turned off the entire time. I have never turned it on. I do not now, or ever, want a "voice assistant" or any technology that listens to me and tries to understand what I want by listening to me. I want technology that does exactly what I tell it to do and nothing more.
Siri is a better option than the alternative "voice assistants" on the market, but they're all bad in my book, and I don't want any of them.
I briefly enabled so I could text mum to say when I was nearly home. Avoids sneaking a traffic light text. Turns out it was waaaaaaaay more distracting and time consuming to get siri to text a single word, so back into the box it went
I switched from Android a few years ago because my company gives out iphones as a perk. I used "ok google" extensively, and loved it. It was incredibly good at answering obscure questions and doing things like navigating or playing a song. It would do what I wanted almost every time, even if I was trying a new command for the first time.
I try to use Siri for the same things, but she suuuuuuucks. If I ask her to play a song, 9 out of 10 times it will do something idiotic- like I say "hey siri play tears in heaven on spotify", she might reply "now playing tears in heaven by a shitty kazoo cover band". If I say "navigate to the closest olive garden", it would say "navigating to olive garden corporate headquarters, estimated travel time 43 hours 12 minutes." But never mind, I can see the olive garden I was looking for, it's at the end of the street I'm on.
These are artificial examples because I can't remember specifics right now, but trust me - the real examples were just as dumb.
She's great at setting timers or alarms though! And I can reliably use her to pause, skip, or adjust volume when I'm showering or something.
I use Siri for setting timers and reminders. It's pretty good at parsing numbers. Other than that, It hasn't been very reliable for me. Apple really needs to overhaul Siri's intelligence.
My personal use as someone his 30s is mostly as a kitchen timer with a HomePod mini (not my phone), to turn on/off lights, and to occasionally toss things onto a to-do list.
My dad on the other hand loves his full size HomePod stereo pair and uses them frequently, almost entirely for playing music with voice commands. I think there are other things he might find it useful for but I haven't shown him those yet.
I have never enabled Siri on any device. Precisely for fear of this kind of shit, or the ones where humans are listening to the recordings that are obviously being made, and all of the other logical conclusions one can reach on how this can be abused.
Just like HDD failures, it is not a question of if but when.
I have never even setup Siri. Sometimes I've been tempted to enable it so I can say, "Siri, call 911!" if I'm assaulted or injured on the trail. I doubt it would help, but it's occasionally disconcerting when my phone isn't quickly accessible.
In my experiences working on voice OS, it's boom or bust depending on the user. Some people use it rarely if ever and some people live by it, and there's little in between. I think it makes sense in most cases to view voice commands as an accessibility feature.
Siri killer apps for me are asking for factoids via my watch, and opening my garage door as I approach while driving (my building uses an app that requires multiple taps + swipes to open the garage door, using Siri makes it palatable.)
For sure. I stood in line for the original iPhone, owned every model (except the 5C) up through the 6, then an SE, X, and now an 11 Pro since it came out. I played around with Siri when it debuted, but didn't use it much. I turned it off at some point (I think it was when Apple was catching grief for keeping recordings or something like that) and haven't missed it. I'm not against it especially -- it just never really became part of my life.
My trust of what Siri is capable of is laughably low but I do use it for reminders ("Remind me on X day...", "Remind me in X hours...", "Remind me when I get home...") and for timers. Occasionally I'll use it for unit conversions but I usually use Alexa for that since I'm in my kitchen often when I use that and it's just right there. Other than that I don't use it.
I only use it to set timers and it sucks at that half the time, not even going to bother with the faff of doing anything more complex. It's quicker to just do it myself as I'll probably have to unlock the screen anyway.
"Siri, timer, one hour thirty"
"Timers can't be set for a time of day, so I set your Timer alarm for 1:30"
I was that way for a long time, but the Apple TV remote got me using it and I now occasionally do use it on my iPhone, mainly while driving to play music on reply to texts. Definitely has come a long way and is useful, one of my friends never types texts anymore and just dictates through Siri.
My mother loves using Siri, she always uses it when she wants to look things up. It seems quite useful for people who aren't proficient at typing quickly, easier to ask Siri.
The first day i asked her for the weather, songs and alarms.
The second day i turing tested her, asked it philosophical questions and insulted it the worst way.
Yes, that was pretty much it.
iPhone user since 2009. I used Siri for about a month when it first came out because I really liked hearing a British man's voice said "SSSSHedule" to me instead of "skedule", but then I learned it was sending all audio to the cloud and noped out.
There were some stubborn bad decisions that Steve Jobs stuck to (1 button mouse, windows that don't appear when you cmd-tab to them), but his Apple seemed to have better software. Since him, it really seems to have gone downhill in terms of bugs and UI consistency.
Kinda funny that you have to buy/support hardware from a company but then need to use a opensoure nonprofit OS to protect yourself against said hardware producer.
freeplay|3 years ago
girvo|3 years ago
Yeah, I'm one of them. The iOS keyboard has slowly become so bad that it's easier to dictate instead, and my partner does the same while driving via CarPlay. This is horrible to read about.
cstejerean|3 years ago
> Even worse, this particular exploit would also allow the app to request DoAP audio on-demand, bypassing the need to wait for the user to talk to Siri or use dictation.
dontbenebby|3 years ago
I agree with your take!!
If you scroll to the "Full TCC Bypass on macOS" portion, you can see that this bug allows folks to turn on an Airpod and direct that audio to a macOS device. This could enable what is known as a Tempest Attack[0,1]
>BTLEServerAgent did not have any entitlement checks or TCC prompts in place for its com.apple.BTLEAudioController.xpc service, so any process on the system could connect to it, send requests, and receive audio frames from AirPods. This exploit would only work on macOS, because the more restricted sandbox of iOS prevents apps from accessing most global mach services directly.
Stuff like that are why I hate Bluetooth in general, and I'm on the fence if either my laptop OR phone will be Apple products when I replace them.
(They seem to cater to people who replace their devices every year and camp out outside the Apple store for new Apple stuff like nerds rather than the folks who didn't want to spend every weekend messing with kernel drivers and thus adopted what I will continue to refer to as "shiny BSD" even though they long since changed the name from OSX to macOS.)
-- [0] https://en.wikipedia.org/wiki/Tempest_(codename)#Public_rese... [1] http://m6rqq6kocsyugo2laitup5nn32bwm3lh677chuodjfmggczoafzw[...
aquajet|3 years ago
walterbell|3 years ago
Can physical microphones be removed from Apple devices by a repair shop, while still allowing use of wired/wireless headsets?
We need Purism-style hardware kill switches for microphones, cameras and radios.
SamuelAdams|3 years ago
Yes, this is what I do. The mike is actually still in the laptop but it's disconnected from the motherboard. On a 2021 M1 Macbook pro all you need to do is pop off the back cover and disconnect one cable on the right side of the motherboard. All in all takes about 10 minutes of work.
cosentiyes|3 years ago
And accelerometers and ...
MBCook|3 years ago
LaputanMachine|3 years ago
There have been reports that the 2020 iPhone SE cannot be used without a microphone:
https://repair.wiki/w/IPhone_SE_(2020)
_hhkc|3 years ago
sneak|3 years ago
nick88msn|3 years ago
mfbx9da4|3 years ago
2T1Qka0rEiPr|3 years ago
> and then receive a reply in the form of "here's what I found on the web...
Really made me chuckle. As a non-Apple user who has to put up with Homepods, this rings so very true.
traceroute66|3 years ago
I suggest people do what I do, load a profile that disables Siri - easily created using the Apple Configurator tool (under "Restrictions" untick "Allow Siri").
N.B. I've never looked closely under Settings on the phone itself, there may well be Siri off option there ? But I just load profiles as I find its easier for hardening.
atlex2|3 years ago
semireg|3 years ago
greenicon|3 years ago
walterbell|3 years ago
tinus_hn|3 years ago
unknown|3 years ago
[deleted]
runjake|3 years ago
concinds|3 years ago
I'm reminded about the Apple Music passage in the After Steve book, where Apple tried to fuck over musicians just because they thought they could get away with it (zero royalty payments during Apple Music trials, so the trial was 100% subsidized by labels and artists), before walking it back. The executives are clearly far more concerned with bad PR, and not guided by values or principles.
rtev|3 years ago
pxmpxm|3 years ago
urbandw311er|3 years ago
javajosh|3 years ago
unknown|3 years ago
[deleted]
lapcat|3 years ago
walterbell|3 years ago
unknown|3 years ago
[deleted]
jdelman|3 years ago
unknown|3 years ago
[deleted]
henriquez|3 years ago
pvg|3 years ago
There's really no basis for this beyond its reflexive repetition on messageboards. You might as well type 'million dollar logout CSRF' in every vulnerability report thread.
unknown|3 years ago
[deleted]
hazyc|3 years ago
dilap|3 years ago
The other day in a hurry and driving somewhere, I ended up w/ both Apple Maps and Google Maps open, simultaneously giving me directions.
"Hey Siri, close Google Maps"
"To close an application, swipe up from the bottom of the phone..."
To paraphrase a quote from Steve Jobs, if your voice assistant asks you to touch the screen, you blew it.
z9znz|3 years ago
My only other use of Siri usually involved phrases like "stop", "go away", "close", "fucking close!", "you stupid fcking * ** close the **** thing" when Siri would pop up out of nowhere and interrupt whatever I was actually doing. I had it turned off, but occasionally somehow it's back on, listening.
Other actual attempts at using it have been no better than 50% effective, so it wasn't worth the trouble. And I was speaking very clearly and articulately.
I've observed a friend (a Googler who had Google-fied his house) have frequent useless conversations with the Google assistant, so maybe 50% is the best you can hope for. No experience with Alexa, but I'd be too scared to even turn it on; I might end up with three refrigerators delivered the next day.
dfee|3 years ago
“Get directions to the nearest gas station.”, “What’s the score of the Giant’s game?”, “Play Master of Puppets”, “What is 4’3” in centimeters?” And many, many more.
tristor|3 years ago
Siri is a better option than the alternative "voice assistants" on the market, but they're all bad in my book, and I don't want any of them.
Ntrails|3 years ago
I briefly enabled so I could text mum to say when I was nearly home. Avoids sneaking a traffic light text. Turns out it was waaaaaaaay more distracting and time consuming to get siri to text a single word, so back into the box it went
knodi123|3 years ago
I try to use Siri for the same things, but she suuuuuuucks. If I ask her to play a song, 9 out of 10 times it will do something idiotic- like I say "hey siri play tears in heaven on spotify", she might reply "now playing tears in heaven by a shitty kazoo cover band". If I say "navigate to the closest olive garden", it would say "navigating to olive garden corporate headquarters, estimated travel time 43 hours 12 minutes." But never mind, I can see the olive garden I was looking for, it's at the end of the street I'm on.
These are artificial examples because I can't remember specifics right now, but trust me - the real examples were just as dumb.
She's great at setting timers or alarms though! And I can reliably use her to pause, skip, or adjust volume when I'm showering or something.
BudaDude|3 years ago
kitsunesoba|3 years ago
My dad on the other hand loves his full size HomePod stereo pair and uses them frequently, almost entirely for playing music with voice commands. I think there are other things he might find it useful for but I haven't shown him those yet.
zippergz|3 years ago
dylan604|3 years ago
Just like HDD failures, it is not a question of if but when.
dvzk|3 years ago
madrox|3 years ago
asadlionpk|3 years ago
nanidin|3 years ago
aparks517|3 years ago
joshstrange|3 years ago
corobo|3 years ago
"Siri, timer, one hour thirty"
"Timers can't be set for a time of day, so I set your Timer alarm for 1:30"
Every damn time. Siri hates Brits.
Aaronstotle|3 years ago
SigmundA|3 years ago
parker_mountain|3 years ago
trap_goes_hot|3 years ago
TheFreim|3 years ago
My mother loves using Siri, she always uses it when she wants to look things up. It seems quite useful for people who aren't proficient at typing quickly, easier to ask Siri.
lagrange77|3 years ago
az_reth|3 years ago
crazygringo|3 years ago
That's literally the only thing.
sbf501|3 years ago
dcdc123|3 years ago
bdougherty|3 years ago
unknown|3 years ago
[deleted]
QuackyTheDuck|3 years ago
z9znz|3 years ago
freeplay|3 years ago
gw99|3 years ago
unknown|3 years ago
[deleted]
mikece|3 years ago
aaronharnly|3 years ago
devX3|3 years ago
unknown|3 years ago
[deleted]
jalla|3 years ago
[deleted]
dylan604|3 years ago
yazzku|3 years ago
[deleted]
MBCook|3 years ago
Sit on it knowing others may find it and users are at risk?
Who cares he got paid. That’s not why he did it, he found it while developing one of his apps and reported it. Good for him.
It’s nice Apple paid him. I can understand thinking it should have been more. But what ethical alternative is there to reporting it?
TheLoafOfBread|3 years ago
Well, because he is not a corporation, he will get jumped on by lawyers and will go to jail for blackmailing Apple.
saagarjha|3 years ago
eastbound|3 years ago
This is the only way companies will take the right processes to protect those assets.
unknown|3 years ago
[deleted]
TheLoafOfBread|3 years ago
[deleted]
bryceacc|3 years ago
"and audio from the iOS keyboard dictation feature"
veronikamartin|3 years ago
[deleted]