04 September 2015

Beyond TEDIPAY

Alexander Peschkoff - TEDIPAY

111Posts 438,459Views 513Comments

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.

Apple's Siri - iPhone security hole

23 May 2014  |  3807 views  |  2

Spear phishing is a powerful fraud technique. The objective is to get sensitive/confidential data which can then be used to mount at attack. A combination, for example, of my home and mobile numbers, as well as my work and personal email addresses is a valuable tool in "capable" hands.

Obtaining such data is not easy, but Siri can help.

Grab your target's LOCKED (!) iPhone, then press and hold the Home button to wake up Siri. Ask her for "My name". Then for "My email address". 

Next, request data on "My wife" (Siri prefers "My spouse", actually). Then try some names - e.g. John or Peter - to get FULL details from Address Book. Try "Lloyds" ("Barclays", "HSBC" and other major banks) to see what useful data is available there. 

You can send SMS to or call any of the numbers you see. Very handy if your target has some number for alternative low-cost telecom companies - dial the access number, then you can all anyone in the world, for FREE! With the phone still locked...

I'll leave the rest to your imagination. (Siri won't show your photos or launch apps - you do need to enter PIN for that - but there are some other neat tricks for exploiting that security hole, which I won't describe here...)

Enjoy!

Apple has the best security implementation in the industry, both on the s/w and h/w levels. I do hope it tells Siri off soon, especially if Apple is serious about entering the payments playground.

P.S. Apparently, that Siri exploit is an old hat: it's been known since... 2011.

TagsSecurityPayments

Comments: (2)

Bjorn Soland - Promon AS - Oslo | 26 May, 2014, 07:08 This is a tradeoff between ustability and security. The Siri features was never meant to be secure and if they are misused it only creates a problem for single users. Business logics then tells Apple to move on as before. By the way: Have you ever thougt about how the spell checker works? It comes up with suggestions that are my own spelling mistankes and abbreviations which proves that apps definetly leak data to the phone operating system or very likely to a server as well. (Used to build dictionaries..?)
Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Matt Scott - NCR Corporation - London | 27 May, 2014, 15:12

I've disabled Siri - not because I am overly Security-sensitive - but because iOS is not smart enough to detect when my mobile drops to GRPS or EDGE connectivity (which doesn't offer enough Bandwidth to support the Siri Cloud Assistance Service).  I would have expected the device to be smart enough to drop into Voice Control (which is an offline service provided by the handset).  Even Voice Control spuriously phones random numbers when I am trying to command it using my handsfree kit... growing tired of Apple related issues (having been an Apple convert since 2003) - typing this on my first (personal) non-Apple Laptop since then...

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Alexander

Apple Pay and TfL tidbits

20 July 2015  |  1639 views  |  1  |  Recommends 0 TagsMobile & onlinePaymentsGroupInnovation in Financial Services

Apple Pay: lessons for Cupertino

17 July 2015  |  13990 views  |  7  |  Recommends 0 TagsMobile & onlinePaymentsGroupInnovation in Financial Services

Apple Pay: the good, the bad and the... roadmap

16 July 2015  |  2455 views  |  1  |  Recommends 0 TagsMobile & onlinePaymentsGroupInnovation in Financial Services

What is bPay's business model?

10 July 2015  |  1738 views  |  0  |  Recommends 0 TagsMobile & onlinePaymentsGroupInnovation in Financial Services

Alexander's profile

job title CEO
location London
member since 2012
Summary profile See full profile »
I am the co-founder and CEO of TEDIPAY, the company that is bringing to the market a game-changing platform for secure mobile transactions.

Alexander's expertise

What Alexander reads
Alexander writes about

Who's commenting on Alexander's posts

Ketharaman Swaminathan
Andrew Rothwell
Martin cox
Sunil Gokani
Matt Scott
Dave Sanderson
Robert Avery
Lu Zurawski
Chetan Ghadge
Paul Love