The Siri Shortcuts that Apple introduced in iOS 12 can be abused by attackers for malicious purposes, IBM’s security researchers have discovered.
Siri Shortcuts, meant to provide users with faster access to applications and features, automate common tasks and can either be enabled by third-party developers in their apps or custom-designed by users who download the shortcuts app from the App Store.
Once up and running on a user’s device, the application can perform complex tasks, which presents potential security risks, John Kuhn, senior threat researcher at IBM Managed Security Services, explains in a blog post.
Siri Shortcuts can facilitate a broad range of interactions between users and their devices, either directly from the lock screen or through existing apps. What’s more, users can share these Shortcuts from the app itself via iCloud.
Developers can create Shortcuts and present them to users from within their apps, and the shortcuts can appear on the lock screen or in ‘search’, based on time, location and context.
According to IBM’s security researchers, Shortcuts could be created for malicious purposes, such as scareware, a pseudo-ransom attack in which cybercriminals scare victims into paying by leading them to believe that their data has been compromised.
“Using native shortcut functionality, a script could be created to speak the ransom demands to the device’s owner by using Siri’s voice,” Kuhn says.
An attacker could automate data collection from the device (current physical address, IP address, contents of the clipboard, stored pictures/videos, contact information and more), and then have the data displayed to the user to convince them that the attacker can use the data.
“To move the user to the ransom payment stage, the shortcut could automatically access the Internet, browsing to a URL that contains payment information via cryptocurrency wallets, and demand that the user pay-up or see their data deleted, or exposed on the Internet,” the researcher continues.
What’s more, the attacker could configure the malicious Shortcut to spread to the victim’s contact list, prompting them to download and install the same Shortcut. With the message coming from a trusted contact, the attack is likely to succeed.
The researchers published a video demonstrating how a Shortcut can change the device’s brightness and volume, turn the flashlight on and off while vibrating at the same time, can speak a ransom note that includes convincing personal details, can display the spoken note in a written alert, and access the URL of a page containing payment information, in addition to spreading via messages to users’ contacts.
“In our security research labs, we tested the ransom attack scenario. The shortcut we created was named ‘Ransom’ in the video, but it could easily be named any other name to entice users to run it. Lures, such as game cheats/hacking, unlocking secret functionality in apps, or getting free money, often entice users to tap on a shortcut and see where it leads,” Kuhn says.
The researcher also points out that users are likely to fall for social engineering and then install the malicious code on their devices. Thus, they are advised to never install a Shortcut from an untrusted source, and to check the permissions that the Shortcut is requesting and the underlying actions the shortcut might take.