Apple Siri Cracked Open, Theoretically
Opening It Up To Other Devices Or Even
that string with one pulled from an actual 4S is
somewhat simple — Apple wouldn’t (/couldn’t)
Apple Siri Cracked Open, Theoretically Opening ever really notice.
It Up To Other Devices Or Even Android
If someone were to hack together an Android app
and distribute it, though, the massive influx of
requests all originating from the same unique ID
CloudTags: Siri , Open , Devices , Apple , Android would almost certainly trigger a blacklisting. Unless
, Acer as07b41 battery ,Dell d820 battery , Hp 484170- the app had a massive pool of authentic unique IDs
001 battery to rotate through, the fishy activity would be pretty
easy to discern.
Serving as a stark reminder
that there are people on the I’d highly recommend reading Applidium’s full run-
Internet who are way, way too down of the process, but here’s the tl;dr breakdown:
damned clever, the guys over
at the iPhone design/develop- • By connecting Siri to a local router and
ment house Applidium claim then dumping data as it came through, they
to have cracked open Siri to realized that Siri was sending all of its data
take an unsanctioned look at to a server that we’ll refer to as “Guzzoni”.
its (her? his?) inner workings. • All trafic sent to Guzzoni was sent through
In a rare (but quite welcome. the HTTPS protocol. With the “S” in HTTPS
I mean, by us. Probably not by standing for “Secure”, this traffic wasn’t
Apple) move, they’ve gone on subject to simple packet sniffing. So they
to do a rather detailed debrie- had a new idea: make a fake Guzzoni server,
fing of how they got through. and see what came through on the other
So, what does this mean to • After a good bit of ridiculously clever SSL
you? Theoretically, it means certificate trickery, they got Siri sending
that support for Apple’s voice-powered portable commands to their fake server. With each
assistant could be hacked not only onto devices command comes the “X-Ace-Host” string,
like the iPhone 4, but to anything from laptops to which appears to be unique to each iPhone
Android phones as well. As the italics on “theoreti- 4S.
cally” imply, though, there’s a bit of a catch. • After figuring out how Apple was com-
pressing (read: not encrypting) the data,
The catch: in the end, anything attempting to com- Applidium was able to decompress it and
municate with Siri’s backend needs to have a va- parse out a rough sketch of exactly what
lid iPhone 4S identification string, unique to each was being sent (including which audio co-
4S. In one-off experiments like this one, spoofing dec Apple was using), and what Siri expec-
Apple Siri Cracked Open, Theoretically Opening It Up To Other Devices Or Even
ted in return.
With that process done, Applidium attempted to
talk to Siri without any iPhone 4S in the equation.
Their first challenge? Speech-to-text from a laptop
running a custom script. Sure enough: it worked.
Siri chewed through the sound file (a recording of
them saying “autonomous demo of Siri”), didn’t bat
an eye (as their tool was using their iPhone 4S’ ac-
tual unique ID), and returned a mountain of data
detailing what Siri heard and how sure it was about
Incredible. The Applidium guys have provided a few
tools for others to recreate their steps — but, as it
currently stands, there’s not much that can be done
to take this beyond a rather cool proof-of-concept.
See Also: Teach Siri to Tweet for Your iPhone 4S
– How To