At a press conference in Helsinki this week, F-Secure veep Maria Bordgren reportedly said Siri, the voice-activated personal assistant available to iPhone 4S users, was unsafe to use at work.
However some researchers think she may be overreacting.
“Four out of 10 users don’t worry about corporate data and don’t think it will leak. Take Siri, it’s cute right, I like it, but if you ask it a question, the data is not stored on the iPhone - it goes to a datacentre in Oregon,” Bordgren said at a press conference in Helsinki this week, according to V3.
Theoretically, if attackers got their hands on this data, which mostly consists of search words and personal commands, they could leverage the information to hack into corporations.
It’s true Apple collects and processes data coming in and out of Siri. According to Apple’s software license agreement, “When you use Siri or Dictation, the things you say will be recorded and sent to Apple in order to convert what you say into text and, for Siri, to also process your requests.” The iPhone 4S also sends Apple information like first name and nickname, details about those in your contact list, and song names in your music collection, though “it is not linked to other data that Apple may have from your use of other Apple services.”
“If anyone was interested in that information you’re screwed,” she said, according to ZDNet.
Bordgren was also concerned over Apple’s alleged lack of corporate security policies. Security Watch gave Apple a day to refute this, but unfortunately it didn’t get back to us. A couple weeks ago Apple released a “security whitepaper” about iOS clearly aimed at convincing IT managers that its mobile OS was safe for the workplace.
Last month, IBM blocked cloud applications, including Siri. IBM chief information officer, Jeanette Horan, apparently told a reporter the company was “just extraordinarily conservative.”
Overreacting?
Is Siri really “unsafe for business”? According to a couple researchers we spoke to, Bordgren (and IBM) might be overreacting a bit.
“I doubt Apple uses that data for anything [malicious] and I seriously doubt anybody else has access to that data,” said Accuvant researcher and legendary iOS hacker, Charlie Miller.
“Most people don’t tell their inner most secrets to Siri, I suspect. But if you are totally paranoid, I suppose you should turn it off.”
Catalin Cosoi, head of BitDefender’s research labs, said that if hackers really wanted to steal Siri data, they probably wouldn’t try to hack into Apple’s servers. “They usually they go through other routes,” he said.
“Besides, other services like Gmail, Facebook, they all store much more data in the cloud than Apple does. Why target Apple?”
Greater Threat on iOS: Apps
Cosoi said IT managers should be more concerned about employees downloading apps with excessive access to user data. BitDefender recently launched Clueful ($3.99, 3 stars), an app that quickly scans other iOS apps for permissions.
For instance Clueful discovered that the app Family Doctor was pulling users’ emails and text messages every half hour, without users’ knowing.
Like Android, iOS uses a permission-based system too, but it works very differently. Instead of listing permissions upfront, you download the app first and the app will push out alerts asking for your permission to access certain resources when the app needs them. If you’re determined to use an app, you probably blindly tap ‘OK’ to everything.
But even with this model in place iOS apps aren’t explicit enough about required permissions. That’s how Path got in trouble—in February, users of the popular social networking app discovered that the app was exporting (through unencrypted means) entire address books and storing them in their servers
No comments:
Post a Comment