Siri is just trying her best, but she’s not always as helpful as you would like. Now she’s even more of a pain. Apparently, Siri can be easily manipulated by cybercriminals, helping to play into their phishing scams.
As Fortune reports, all it takes is the use of a proper noun in a phishing text message, and Siri will display the sender as “Maybe: [insert proper noun]. This means that hackers could find the name of a trusted or feared figure in someone’s life that one is almost certain to respond to, and pose as that person in a message, accompanied by a phishing link.
And it doesn’t only apply to first and last names, like your boss or friends. Researchers found that although the vulnerability does not work on obvious words like “bank,” it does work on their proper-noun counterparts – e.g., “Wells Fargo.”
The most alarming part of this news is perhaps just how little effort the maneuver takes on the hacker’s end. Any amateur cybercriminal can exploit the vulnerability, no hacking experience required. Apple has responded that they do not classify this as a security vulnerability but rather as a software bug.
Referencing a tweet by Bloomberg’s Mark Gurman, 9to5Mac reports this has actually been a vulnerability since 2015, or iOS 9. Meanwhile, iPhones are currently running iOS 11.4. In the tweet, Gurman referred to the vulnerability as a “non-issue” in his eyes, but also noted that it’s something Apple could easily fix and hasn’t.