Siri Shortcuts: Hey, Siri! Watch Out For Scareware!

by Cristian Gal / 12 June

Some of us can’t imagine life without Siri or another virtual assistant to help, guide and save time throughout the day. Even though it has so many advantages, the fact that, in order to work properly, it must always be listening, raises serious privacy concerns.

The first step that led to the creation of today’s speaking devices was an educational toy named the Speak & Spell, announced back in 1978 by Texas Instruments. It offered a number of word games, similar to the hangman, and a spelling test. What was revolutionary about it was its use of a voice synthesis system that electronically simulated the human one.


The system was created as an offshoot of the pioneering research into speech synthesis developed by a team that included Paul Breedlove as the lead engineer. Breedlove was the one that came up with the idea of a learning aid for spelling. Breedlove’s plan was to build upon bubble memory, another TI research effort, and as such it involved an impressive technical challenge: the device should be able to speak the spelling word out loud.

The team analyzed several options regarding how to use the new technology and the winner was this 50$ toy idea.



With Apple’s introduction of iOS 12 for all their supported mobile devices came a powerful new utility for automation of common tasks called Siri Shortcuts. This new feature can be enabled via third-party developers in their apps, or custom built by users downloading the Shortcuts app from the app store. Once downloaded and installed, the it grants the power of scripting to perform complex tasks on users’ personal devices.


Siri Shortcuts can be a useful tool for both users and app developers who wish to enhance the level of interaction users have with their apps. But this access can potentially also be abused by malicious third parties. According to X-Force IRIS research, there are security concerns that should be taken into consideration in using Siri Shortcuts.


For instance, Siri Shortcuts can be abused for scareware, a pseudo-ransom campaign trying to trick potential victims into paying a certain a criminal by convincing them their data is in the hands of a remote attacker.

Using native shortcut functionality, a script could be created to transmit ransom demands to the device’s owner by using Siri’s voice. To lend more credibility to the scheme, attackers can automate data collection from the device and have it sent back the user’s current physical address, IP address, contents of the clipboard, stored pictures/videos, contact information and more. This data can be displayed to the user to convince them that an attacker can make use of it unless they pay a ransom.


To move the user to the ransom payment stage, the shortcut could automatically access the Internet, browsing to a URL that contains payment information via cryptocurrency wallets, and demand that the user pay-up or see their data deleted, or exposed on the Internet.


Apple prefers quick access over device security for Siri, which is why the iOS default settings allow Siri to bypass the passcode lock. However, allowing Siri to bypass the passcode lock could allow a thief or hacker to make phone calls, send texts, send e-mails, and access other personal information without having to enter the security code first.


There is always a balance that must be struck between security and usability. Users and software developers must choose how much perceived security feature-related inconvenience are they willing to endure in order to keep their devices safe versus how quickly and easily they want to be able to use them.


Whether you prefer instant access to Siri without having to enter a passcode is completely up to you. In some cases, while you’re in the car, for example, driving safely is more important than data security. So, if you use your iPhone in hands-free mode, keep the default option, allowing the Siri passcode bypass.


As the Siri feature becomes further advanced and the amount of data sources it is tapped into increases, the data security risk for the screen lock bypass may also increase. For example, if developers tie Siri into their apps in the future, Siri could provide a hacker with financial information if a Siri-enabled banking app is running and logged in using cached credentials and a hacker asks Siri the right questions.