The Siri Shortcuts that Apple introduced in iOS 12 can be abused by attackers for malicious purposes, IBM’s security researchers have discovered.
Siri Shortcuts, meant to provide users with faster access to applications and features, automate common tasks and can either be enabled by third-party developers in their apps or custom-designed by users who download the shortcuts app from the App Store.
Once up and running on a user’s device, the application can perform complex tasks, which presents potential security risks, John Kuhn, senior threat researcher at IBM Managed Security Services, explains in a blog post.
According to IBM’s security researchers, Shortcuts could be created for malicious purposes, such as scareware, a pseudo-ransom attack in which cybercriminals scare victims into paying by leading them to believe that their data has been compromised.
“Using native shortcut functionality, a script could be created to speak the ransom demands to the device’s owner by using Siri’s voice,” Kuhn says.
An attacker could automate data collection from the device (current physical address, IP address, contents of the clipboard, stored pictures/videos, contact information and more), and then have the data displayed to the user to convince them that the attacker can use the data.
“To move the user to the ransom payment stage, the shortcut could automatically access the Internet, browsing to a URL that contains payment information via cryptocurrency wallets, and demand that the user pay-up or see their data deleted, or exposed on the Internet,” the researcher continues.