Apple’s Shortcuts app is a powerful platform for workflow and task automation, but according to a new report, it could also be used against you.
There are a number of security risks present in Siri Shortcuts, as first noted by IBM’s X-Force IRIS cybersecurity team and app developer Simeon Saëns. Both of them have reported those risks to Apple, but users should familiarize themselves with the dangers in the meantime.
X-Force IRIS researchers created a proof-of-concept attack to demonstrate the possible malicious capabilities of the Shortcuts app.
Specifically, the team created a “scareware” attack that could be used to extort money from an unwitting Siri Shortcuts user. You can see the attack in the video below.
- The shortcut attempts to scare users reading a script using Siri’s voice.
- It can also pull data from a user’s device and repeat that data to make it appear that the ransom threat is much more genuine.
- Finally, it sends a link to a cryptocurrency wallet and demands that the user pay up to see their data deleted — otherwise, the shortcut threatens to expose the user’s data by posting it on the internet.
Worse still, X-Force IRIS notes that they can spread the ransom attack to other devices by sending it to everyone on a victim’s contacts list and asking them to download the shortcut.
That’s not the only risk. Some Siri Shortcuts created by malicious entities could even be used to collect data off of a user’s iPhone.
App developer Simeon Saëns highlighted the risk in a tweet late last month. In that post, Saëns said that it was “trivially easy” for a malicious entity “to steal highly sensitive & personal information” using Siri Shortcuts.
Some of the data that could be at risk includes contact information, names typed into iMessage, addresses, browsing history, app usage data, and file contents.
As proof of that, Saëns highlighted a malicious shortcut disguised to look like a memory cleaning shortcut. But the shortcut actually stole the aforementioned data, zipped it, uploaded it to the cloud, and sent a link via iMessage to an attacker.
And while many shortcuts actually list the exact steps they take to automate the workflow, Saëns said details of the attack were “obfuscated … through base64 encoding.”
How to Protect Yourself
Siri Shortcuts is an awesome platform for iOS and Apple users, but as we’ve seen, it does have a unique set of potential dangers.
Luckily, X-Force IRIS says that there are a few things you can do to use Shortcuts more safely.
- Don’t install Siri Shortcuts from a source you don’t trust. If in doubt, only download Shortcuts from the official gallery in the app.
- You can see the underlying actions a shortcut may take by tapping the Show Actions button. Comb the shortcut for actions like sending data to strange numbers, emailing data, or making SSH server connections.
- Double-check any permissions that a shortcut asks for. Don’t accept permission requests for portions of your device that you aren’t comfortable giving out — like photos, location data, or the camera and microphone.