A cybersecurity company has demonstrated how a Siri feature could be exploited by scammers to assist with phishing attempts.
The approach replies on the way that Siri attempts to identify unknown callers, potentially presenting you with a misleading impression of who they are …
When Siri doesn’t recognize a caller, it uses a couple of different approaches to try to work out who it may be. It then presents that to you on your incoming call screen as ‘Maybe: Whoever.’
Although the ‘Maybe’ is a clue that Siri isn’t certain of the caller’s identity, some unwary people might rely on it, for example if it names their bank.
Fortune reports cybersecurity company Wandera explaining how it works.
Apple does block certain phrases – like ‘Bank’ or ‘Credit union’ – but not the names of specific banks, so it would present the guessed identity for something like Wells Fargo.
The subterfuge is even simpler via text messaging. If an unknown entity identifies itself as Some Proper Noun in an iMessage, then the iPhone’s suggested contacts feature should show the entity as “Maybe: [Whoever].”
As Bloomberg’s Mark Gurman notes, this has been possible since iOS 9.
Wandera said that it reported the issue to Apple back in April, but the company said that it didn’t consider it a security vulnerability. Apple did say that it had noted it as a software issue ‘to help get it resolved,’ suggesting that it may tighten protections.
Interesting take. Really think this is a complete non-issue however. Has been an iOS feature since 2015. Apple could probably easily add a switch to disable it though. https://t.co/zGfaVrfkgx
— Mark Gurman (@markgurman) June 11, 2018
You probably already view Siri contact guesses as just that. However, it’s probably worth being aware that scammers may be trying to exploit a potential vulnerability.