A cybersecurity company has demonstrated how a Siri feature could be exploited by scammers to assist with phishing attempts.
The approach replies on the way that Siri attempts to identify unknown callers, potentially presenting you with a misleading impression of who they are …
When Siri doesn’t recognize a caller, it uses a couple of different approaches to try to work out who it may be. It then presents that to you on your incoming call screen as ‘Maybe: Whoever.’
Although the ‘Maybe’ is a clue that Siri isn’t certain of the caller’s identity, some unwary people might rely on it, for example if it names their bank.
Fortune reports cybersecurity company Wandera explaining how it works.
There are two ways to pull off this social engineering trick […] The first involves an attacker sending someone a spoofed email from a fake or impersonated account, like “Acme Financial.” This note must include a phone number; say, in the signature of the email. If the target responds—even with an automatic, out-of-office reply—then that contact should appear as “Maybe: Acme Financial” whenever the fraudster texts or calls next.
The subterfuge is even simpler via text messaging. If an unknown entity identifies itself as Some Proper Noun in an iMessage, then the iPhone’s suggested contacts feature should show the entity as “Maybe: [Whoever].”
Apple does block certain phrases – like ‘Bank’ or ‘Credit union’ – but not the names of specific banks, so it would present the guessed identity for something like Wells Fargo.
As Bloomberg’s Mark Gurman notes, this has been possible since iOS 9.
Wandera said that it reported the issue to Apple back in April, but the company said that it didn’t consider it a security vulnerability. Apple did say that it had noted it as a software issue ‘to help get it resolved,’ suggesting that it may tighten protections.
You probably already view Siri contact guesses as just that. However, it’s probably worth being aware that scammers may be trying to exploit a potential vulnerability.