Cybersecurity firm Wandera has discovered two ways in which Siri can be used to dupe you into accepting calls for phishing scams, and recently demoed those exploits to Fortune.
It’s essentially a social engineering trick that relies on a somewhat helpful Siri feature that attempts to guess the identity of an unknown caller.
When Siri receives a call from an unidentified number, the virtual assistant attempts to work out who is calling by looking through your email and text messages to see if the caller has identified himself or herself to you before.
Siri then takes that best guess and tells you that “Maybe: John Doe” is calling.
While Siri warns you that this is a “maybe” and therefore uncertain, if you’re a little distracted, careless, or unwary in general, this could leave you susceptible to accepting a call from a scammer.
- This Siri feature can be exploited by scammers in two different ways. The first method involves the scammer making an email account bearing the name of a certain trusted entity (e.g. Wells Fargo) or person (e.g. Patricia).
- The scammer then needs to shoot you an email including a phone number from that bogus account and receive a reply. Automated replies and out of office notices count in this regard.
- Once this correspondence has occurred, the scammer can call you and have Siri use the email as a reference to hazard a guess at the identity of the caller and tell you that it may be Wells Fargo or your boss calling you.
The second method is even simpler.
- All it requires is that the scammer send you a text message identifying himself or herself as a representative of your bank or your boss.
- Then your iPhone’s suggested contacts will show the entity as “Maybe: XXXX”.
- The next time the scammer calls you, Siri will throw that banner onto the call.
It’s extremely simple to pull this off and speaks to the plethora of vulnerabilities our reliance on AI has created and will continue to create.
“We didn’t do anything crazy here like jailbreak a phone or a Hollywood style attack—we’re not hacking into cell towers,” Dan Cuddeford, Wandera’s director of engineering, said to Fortune. “But it’s something that your layman hacker or social engineer might be able to do.”
That being said, it’s even easier to reject calls from unknown numbers. When Wandera reported the vulnerability to Apple, the company dismissed it as a software issue and refused to classify it as a security vulnerability.
Mark Gurman of Bloomberg also dismissed it as a non-issue, noting that the Siri feature had been around since iOS 9 and that Apple could easily add a switch to allow users to toggle this function off.
- Open Settings.
- Tap Contacts.
- Tap Siri & Search.
- Toggle off “Find Contacts in Other Apps”.