Today, we managed to crack open Siri’s protocol. As a result, we are able to use Siri’s recognition engine from any device. Yes, that means anyone could now write an Android app that uses the real Siri! Or use Siri on an iPad! And we’re goign to share this know-how with you.
As you know, the “S” in HTTPS stands for “secure” : all traffic between a client and an https server is ciphered. So we couldn’t read it using a sniffer. In that case, the simplest solution is to fake an HTTPS server, use a fake DNS server, and see what the incoming requests are. Unfortunately, the people behind Siri did things right : they check that guzzoni’s certificate is valid, so you cannot fake it. Well… they did check that it was valid, but thing is, you can add your own “root certificate”, which lets you mark any certificate you want as valid.
So basically all we had to do was to setup a custom SSL certification authority, add it to our iPhone 4S, and use it to sign our very own certificate for a fake “guzzoni.apple.com”. And it worked : Siri was sending commands to your own HTTPS sever! Seems like someone at Apple missed something!
The Applidium team also discovered the following:
- The iPhone 4S sends raw audio data compressed with the VoIP codec Speex.
- You will require an iPhone 4S identifier to use Siri on another devices.
- The Siri protocal is very ‘chatty’. Apple’s servers send and receive lots with your iPhone and even provide confidence scores and timestamps when you use text-to-speech, for example.
You can check out the rest of the detailed write up by the Applidium team here. You can bet Apple is already working on closing this loophole.