The so-called ‘information-hiding' attack has been developed by Italian researcher Luca Caviglione and Polish professor Wojciech Mazurczyk to alert security experts to this growing way of hacking mobile devices.
In a paper publicised in the January issue of IEEE's magazine, the duo say their ‘iStegSiri' attack enables criminals to bypass the Apple iOS operating system's traditional strong security by hijacking Siri.
The attack works by using steganography - the art of hiding a message within another message.
Caviglione and Mazurczyk say such techniques are already being used in mainstream malware like Duqu, Alureon and Zeus to exfiltrate stolen data hidden inside picture files.
But their attack requires no malware code. “We believe this is the first attempt to covertly leak data from an iPhone or iPad without installing additional applications,” they say.
The attack works by piggybacking on the Siri conversations between the iPhone and Apple's remote server farms, where the voice messages are translated into text.
The researchers say: “Siri processes a user's voice with the Speex Codec, and the related data is transmitted to Apple as a sort of one-way Voice over IP stream encrypted and encapsulated within HTTP.
“iStegSiri controls the ‘shape' of such traffic to embed secrets.”
There are three steps. First, the stolen data is converted into an audio sequence. Next this sound pattern is provided to Siri as the input via the iPhone's internal microphone. Finally, when it is sent to Apple, it is intercepted by the cyber-criminal and decoded.
The two researchers say iStegSiri can be used to extract sensitive information such as the user's credit card number or Apple ID and password. A typical 16-digit payment card number can be transmitted in about two minutes.
They built the attack to prove it can be done, but have held back some details to stop hackers exploiting it.
However they believe: “it's only a matter of time before we'll see new forms of malware that use information-hiding to compromise the Apple ecosystem.”
Caviglione and Mazurczyk point out that their method has two main drawbacks: it only works on jailbroken iOS devices and the hacker has to access the hidden data in transit.
But they say: “This can be achieved in several ways, including transparent proxies or probes that dump traffic for offline processing. This somewhat shifts the threat from the application to the network.”
They believe that “no current off-the-shelf products effectively detect covert communications” – forcing security experts to craft dedicated counter-measures for each method.
So they advise: “With iStegSiri, the ideal counter-measure acts on the server side. For example, Apple should analyse patterns within the recognised text to determine if the sequence of words deviates significantly from the used language's typical behaviours. Accordingly, the connection could be dropped to limit the covert communication's data rate.”
Analysing their findings, independent UK cyber-security experts say the ideas are novel but do not see the threat as mainstream.
Graeme Batsman, security director of EncSec, told SCMagazineUK.com via email: “This attack is less worrying for four reasons – the full details are not public, it works on jailbroken devices only which is a small percentage, it requires access to traffic which could be hard if on a well-protected WiFi hotspot or similar, and cryptography and stenography is a complex field.”
But Batsman said: “Hopefully the researchers get Apple's attention and they increase filtering at their server level. IT security managers - and maybe home users - should be advised about this but the main item is ensuring smartphones are neither jailbroken nor rooted in the first place!
“Jailbreaking or rooting opens up a can of worms and increases the chance of picking up malware.”
Check Point UK managing director, Keith Bird, told SCMagazineUK.com via email: “This particular attack is new and it highlights how data can be siphoned from unsecured devices by using malware or exploiting a vulnerability in an app or function – and there are a lot of unsecured devices in enterprises.”
Bird said a 2014 Check Point mobile security survey found that almost half of the 700 IT professionals questioned didn't try to control business data held on employees' own phones and tablets.
“As a result, it's good practice to create a secure sandbox on the device that separates corporate data from personal data and applications. This enables users to securely use business applications through a simple interface, without affecting their personal information or apps.”