It is possible to leverage vulnerabilities in Siri Shortcuts Apple released in its iOS 12, researchers said.
Siri Shortcuts is one way users could get quicker access to his or her applications and features or automate common tasks.
This new feature can be enabled via third-party developers in their apps, or custom built by users downloading the shortcuts app from the app store. Once downloaded and installed, the Shortcuts app grants the power of scripting to perform complex tasks on users’ personal devices, said John Kuhn, senior threat researcher at IBM Managed Security Services, <a href=”https://securityintelligence.com/hey-siri-get-my-coffee-hold-the-malware/”>in a post</a>.
Siri Shortcuts can facilitate a broad range of interactions between users and their devices, either directly from the lock screen or through existing apps. What’s more, users can share these Shortcuts from the app itself via iCloud.
Developers can create Shortcuts and present them to users from within their apps, and the shortcuts can appear on the lock screen or in ‘search’, based on time, location and context.
According to IBM’s security researchers, Shortcuts could be created for malicious purposes, such as scareware, a pseudo-ransom attack in which attacker scare victims into paying by leading them to believe their data has been compromised.
Siri Shortcuts has its merits and some security concerns. Here are some tips to ensure a secure Shortcut experience:
- Never install a Shortcut from an untrusted source.
- Check the permissions the shortcut is requesting and never give permission to portions of your phone you are not comfortable with. Things like photos, location and camera could be used to obtain sensitive information.
- Use the show actions button before installing a third-party shortcut to see the underlying actions the shortcut might take. Look for things like messaging data to numbers you don’t recognize, emailing data out, or making SSH server connections to servers.