Share:

Siri Cracked to Work on Any Device–Including Android

Share:

Siri has been cracked to work from any device–including Android phones. Applidium details their findings on their site:

Today, we managed to crack open Siri’s protocol. As a result, we are able to use Siri’s recognition engine from any device. Yes, that means anyone could now write an Android app that uses the real Siri! Or use Siri on an iPad! And we’re goign to share this know-how with you.

As you know, the “S” in HTTPS stands for “secure” : all traffic between a client and an https server is ciphered. So we couldn’t read it using a sniffer. In that case, the simplest solution is to fake an HTTPS server, use a fake DNS server, and see what the incoming requests are. Unfortunately, the people behind Siri did things right : they check that guzzoni’s certificate is valid, so you cannot fake it. Well… they did check that it was valid, but thing is, you can add your own “root certificate”, which lets you mark any certificate you want as valid.
So basically all we had to do was to setup a custom SSL certification authority, add it to our iPhone 4S, and use it to sign our very own certificate for a fake “guzzoni.apple.com”. And it worked : Siri was sending commands to your own HTTPS sever! Seems like someone at Apple missed something!

The Applidium team also discovered the following:

  • The iPhone 4S sends raw audio data compressed with the VoIP codec Speex.
  • You will require an iPhone 4S identifier to use Siri on another devices.
  • The Siri protocal is very ‘chatty’. Apple’s servers send and receive lots with your iPhone and even provide confidence scores and timestamps when you use text-to-speech, for example.

You can check out the rest of the detailed write up by the Applidium team here. You can bet Apple is already working on closing this loophole.

Share:

  • Kirk

    Oh wow…this is getting a bit out of hand…Andriod?

    I lost all respect for this process now lol…. (My own opinion!)

  • Anonymous

    AWESOME 😀

  • TylerAdams82

    Is it available?

  • Anonymous

    I stand by the theory that this will not last long.

    Do we really think that Apple of all companies won’t be watching their servers and slapping duped id’s with a large trout? (caution – showing my age!)

    Is anyone going to be willing to offer up their identifier as soon as they add a script that checks imei and location for example, and compare the same id coming in from a location nowhere near the first one within a specified time frame?

  • Anonymous

    “You will require an iPhone 4S identifier to use Siri on another devices.”

    The biggest thing stopping you from using Siri on another device. Not sure if this can be cracked since its the servers that do the authenticating to make sure that it’s a real 4S

  • Anonymous

    As this is a server dependent function, it should not be difficult for Apple to close this loop hole at all.

Deals