Siri Shortcuts, a feature that Apple added in iOS 12, can be abused to scare or trick users into paying ransom demands, spread malware, and for data exfiltration, according to a proof-of-concept video published by IBM Security researchers.
This is possible because Siri Shortcuts is one of the most powerful and intrusive features present on modern versions of the iOS operating system.
Siri Shortcuts were created as a way for users to automate a sequence of operations that they can call using a Siri voice command. Besides being able to create Siri Shortcuts themselves, iOS users can also download the official Shortcuts app from the App Store to gain access to thousands of other user-made Shortcuts, and the iOS apps they install can install their own Siri Shortcuts as well.
Siri Shortcuts support a wide range of operations, from simple file moving tasks or opening apps, to more complex ones like screen locking or uploading content online.
It’s these latter features that John Kuhn, a senior threat researcher at IBM X-Force, believes are primed for abuse.
“Using Siri for malicious purposes, Shortcuts could be created for scareware, a pseudo ransom campaign to try to scare victims into paying a criminal by making them believe their data is in the hands of a remote attacker,” Kuhn said.
The expert says Siri Shortcuts that speak out ransom demands are easy to create. Further, attackers can use the scripts to first gather data from the phone, and use it in the spoken extortion threat to give it more authenticity and sound more convincing.
The malicious script can be even made to open a web page showing a ransom demand, and this web page can also display sample data uploaded from the victim’s phone seconds before.
These might sound silly schemes in the eyes of technical users with knowledge of cyber-security issues, but a non-technical user can be easily impressed. There’s a reason why scareware and tech support scams are efficient today, in 2019, even if they’ve been around for more than 20 years. Non-technical users can’t always distinguish an empty threat from a valid one, especially when coming from their phone.
Furthermore, Kuhn argues that a malicious Siri Shortcut script can also be made into a worm that automatically messages a victim’s entire contacts list with a link to its source, asking others to install the script as well. It can also spread download links to even more potent malware, not just other Siri Shortcuts.
Kuhn and the IBM X-Force team urge users to take the same precautions with scripts as they do with normal iOS apps and browser extensions.
Users should install Siri Shortcuts only from trusted sources, and they should always check the permissions a Shortcut is requesting access to, before moving on with the installation process.
“As tempting as it might be to just scroll past that text and hit accept, users must be more aware of good security practices, which includes reading and understanding anything they authorize to run on their device,” Kuhn said.