Mac and iOS security flaw could expose your Siri conversations – but there’s a fix

By James On Oct 27, 2022

A worrisome issue where people using macOS and iOS devices could have their conversations with Siri eavesdropped on and recorded by a malicious third party under certain circumstances has thankfully been addressed by Apple.

This was a serious flaw affecting Mac and iPhone or iPad owners, and it was discovered by app developer Guilherme Rambo, as Apple Insider (opens in new tab) reports. Rambo found that any app with Bluetooth access could exploit the vulnerability and eavesdrop on the user’s Siri exchanges when using AirPods or a Beats headset (with Bluetooth connections).

Rambo explains (opens in new tab): “Finding out that I could get audio from AirPods without asking permission to use the microphone on macOS was the first step.”

The developer then performed the same tricks on the iPhone and iPad, receiving audio from the user’s conversations (which the developer initially thought was encrypted, but turned out not to be).

Crucially, this error can be exploited by any piece of software that has been granted Bluetooth permission, and it happens without a request for microphone access or any other clue to suggest to the user that something untoward is going on.

Rambo notified Apple of the issue on August 26, after which the company initiated an investigation process and then deployed a fix (for vulnerability CVE-2022-32946) in the freshly arrived iOS 16.1 (and the latest macOS build).

Analysis: Bug squashed and received bounty

It’s good news, of course, that this issue was resolved before it became widely known, but we have no idea if the exploit has actually been used by a hacker so far. Hopefully not, and at least someone on the light side of the security fence brought it to Apple’s attention to get the fix implemented.

Obviously, this is a good reason to grab the latest update for iOS and macOS, and bugs like this that get fixed are exactly why you need to make sure updates are applied in a timely manner.

It doesn’t necessarily pay to jump on a particular update within hours of it’s release — early adopters can, of course, test the waters for unexpected issues that are introduced — but you shouldn’t let it wait too long before applying security updates in particular.

Rambo received $7,000 (US) for reporting the bug to Apple, and as seen on Twitter (opens in new tab), there are some who think this is a little on the stingy side – they note that this is why people sometimes go elsewhere with these kinds of finds, rather than directly to the affected company. A disturbing thought to end on…