21 October 2014

Beyond TEDIPAY

Alexander Peschkoff - TEDIPAY

103 | posts 380,334 | views 484 | comments

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.

Apple's Siri - iPhone security hole

23 May 2014  |  3333 views  |  2

Spear phishing is a powerful fraud technique. The objective is to get sensitive/confidential data which can then be used to mount at attack. A combination, for example, of my home and mobile numbers, as well as my work and personal email addresses is a valuable tool in "capable" hands.

Obtaining such data is not easy, but Siri can help.

Grab your target's LOCKED (!) iPhone, then press and hold the Home button to wake up Siri. Ask her for "My name". Then for "My email address". 

Next, request data on "My wife" (Siri prefers "My spouse", actually). Then try some names - e.g. John or Peter - to get FULL details from Address Book. Try "Lloyds" ("Barclays", "HSBC" and other major banks) to see what useful data is available there. 

You can send SMS to or call any of the numbers you see. Very handy if your target has some number for alternative low-cost telecom companies - dial the access number, then you can all anyone in the world, for FREE! With the phone still locked...

I'll leave the rest to your imagination. (Siri won't show your photos or launch apps - you do need to enter PIN for that - but there are some other neat tricks for exploiting that security hole, which I won't describe here...)

Enjoy!

Apple has the best security implementation in the industry, both on the s/w and h/w levels. I do hope it tells Siri off soon, especially if Apple is serious about entering the payments playground.

P.S. Apparently, that Siri exploit is an old hat: it's been known since... 2011.

TagsSecurityPayments

Comments: (2)

Bjorn Soland - Promon AS - Oslo | 26 May, 2014, 07:08 This is a tradeoff between ustability and security. The Siri features was never meant to be secure and if they are misused it only creates a problem for single users. Business logics then tells Apple to move on as before. By the way: Have you ever thougt about how the spell checker works? It comes up with suggestions that are my own spelling mistankes and abbreviations which proves that apps definetly leak data to the phone operating system or very likely to a server as well. (Used to build dictionaries..?)
Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Matt Scott - Wincor Nixdorf International GmbH - Bracknell | 27 May, 2014, 15:12

I've disabled Siri - not because I am overly Security-sensitive - but because iOS is not smart enough to detect when my mobile drops to GRPS or EDGE connectivity (which doesn't offer enough Bandwidth to support the Siri Cloud Assistance Service).  I would have expected the device to be smart enough to drop into Voice Control (which is an offline service provided by the handset).  Even Voice Control spuriously phones random numbers when I am trying to command it using my handsfree kit... growing tired of Apple related issues (having been an Apple convert since 2003) - typing this on my first (personal) non-Apple Laptop since then...

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Alexander

To those who still don't get it...

09 September 2014  |  2251 views  |  0  |  Recommends 1 TagsMobile & onlinePaymentsGroupInnovation in Financial Services

Cash is king, but of which kingdom?..

09 June 2014  |  2556 views  |  2  |  Recommends 1 TagsMobile & onlinePaymentsGroupInnovation in Financial Services

Checking my crystal balls

02 June 2014  |  1521 views  |  1  |  Recommends 0 TagsPaymentsInnovationGroupInnovation in Financial Services

Apple's Siri - iPhone security hole

23 May 2014  |  3333 views  |  2  |  Recommends 0 TagsSecurityPaymentsGroupInnovation in Financial Services

Colonic irrigation for payments

04 April 2014  |  1672 views  |  1  |  Recommends 0 TagsMobile & onlineInnovationGroupInnovation in Financial Services
name

Alexander Peschkoff

job title

CEO

company name

TEDIPAY

member since

2012

location

London

Summary profile See full profile »
I am the co-founder and CEO of TEDIPAY, the company that is bringing to the market a game-changin...

Alexander's expertise

What Alexander reads
Alexander writes about

Who is commenting on Alexander's posts

Richard Sanders
Brett King
S S
Matt Scott
Sian Bentley
Bjorn Soland
Bo Harald
Martin cox
Andrew Smith