The ghost in the machine — Inside Siri

email article email article print article print article tip @techmeme

It didn’t take long for hackers to crack the Siri protocol and discover exactly how Siri works. The beautiful thing about the hack was that it used a Moxie Marlinspike talked about some years back. After forcing all of Siri’s internet traffic through a packet-sniffer, it became apparent that Siri communicates over HTTPS with a server at Apple.

By simply creating a certificate that looks like Apple’s but uses a a fake CA which could be installed onto the iPhone, it was simple to trick the iPhone into communicating directly with an internal server. Once this was in place, our hacker friends could get to work on figuring out what information the iPhone sends for each Siri command.

The task actually proved to be more awkward than one would expect. To begin with, Apple makes use of its own proprietary HTTP method, called ACE, in order to communicate. On top of this, the body of the HTTP message is a binary blob, which makes it relatively unclear as to what is going on inside the communication. Finally, the headers of the HTTP message seem to contain a unique ID which seems tied to the iPhone making the request, most likely to identify the device and prevent unauthorized devices from making use of the service.

After some very intelligent guesswork, it was possible to work out exactly what sort of content gets sent to Apple every time you use Siri. It seems that the binary blob is compressed using the zlib compression library, and ultimately it simply contains a large plist with all of the data that Apple’s servers need in order to process a Siri request. Of course, the information sent in this list will vary depending on the communication.

Generally, when you make a Siri request, all of the magic happens outside of your precious iPhone 4S. The audio content is recorded and then compressed using the Ogg Speex codec, which was developed for VOIP communications. This is then bundled up and sent back to Apple. Apple’s server processing farm, performs the voice-recognition on the audio recording and returns the text along with confidence score ratings and timestamps for each word. More than likely, other data such as your GPS co-ordinates is also sent back to Apple for processing.

The hackers at Applidium who have broken the protocol have published their tools on Github. What is really cool about their work is that it is possible to record an audio sample on a non-iPhone device, and then compress it using the Speex codec and then send it off to Apple for processing. Of course, you need your iPhone 4S’ unique identifier in order to do this, but once you’ve got it, you can rig up your old Apple desktop or PC to interface with Siri and do whatever you need it to do.

On the other hand, if you’re like me, the idea that every time you send a text message or email using Siri all of that content routes through Apple’s servers first, will send a shiver down your spine. I stopped using Gmail for my personal and company email, a long time ago.

email article email article print article print article

  • Zulu

    What do you use as an alternative to Gmail now? I’ve been looking for something for the longest time, only Gmail is, by far, the “best” service I’ve seen out there (read: free, reliable, and with a great feature set).

    Help?

  • Rowan Puttergill

    I run my own mail server on a Debian system running on a VPS. Except for
    the hosting cost, its mostly free. The down side is that I need to take
    care of my own SPAM filtering and backup. Its not the approach I would
    expect to see the average user take, but in general I am quite concerned
    about privacy so I don’t like sharing my mail with 3rd parties.
    Particularly when they market their service as ‘free’, because you are
    pretty much guaranteed that they are scouring your mail to sell
    information on to advertisers etc.

    While the cost of hosting may seem a little crazy when you can use a free service like Gmail, having your own server has a whole load of advantages. On the mail side, I can quickly set up aliases to help manage my mail more effectively and to help obscure my identity from sites that require an email for registration purposes. But there are also things like being able to proxy your internet traffic through an SSH tunnel, when on a public network that you don’t trust. Its also useful for quickly putting large files onto the web, for people to download…. probably I am just a little bit crazy though.

  • Zulu

    Thanks for that reply, Rowan. I, too, have my own mail server set up, only I can’t stand its interface. I don’t have time to mount the learning curve associated with many of the things you mentioned in your reply; I guess I’m waiting for the open source community to tackle email soon, and present a viable, reliable, user-friendly, free alternative, hopefully sooner than later.

    Until then, it looks like I’m sticking with Gmail for the time being. Not cool, and I hate it, but its slim pickin’s if you don’t have the resources to manually carve out your own space(and continue maintaining it too!).

    Again, thanks for the reply, buddy.

  • Rear Admiral Enderle

    >he audio content is recorded and then compressed using the Ogg Speex codec

    Apple uses OGG? That’s funny.

    I dont make a big deal out of Apple hypocrisy and BS because there is so much of it but considering the past few years and their battle against OGG in various forms and factors like In HTML5, this is another one of their ‘do as I say, not as I do’ things.

    Whats next? ODF support from MS?

Related Articles on the Web

Related articles

Topics for this article

[ advertising enquiries ]

Share
  • BURN MEDIA TV

    WATCH THE LATEST EPISODE NOW
    Latest Episode
    Sony Xperia Z2 Review

MORE HEADLINES

news

VIEW MORE

interviews

VIEW MORE

future trends

VIEW MORE

entrepreneurship

VIEW MORE

social media

VIEW MORE

facebook

VIEW MORE

twitter

VIEW MORE

google

VIEW MORE

advertising & marketing

VIEW MORE

online media

VIEW MORE

design

VIEW MORE

mobile

VIEW MORE

More in Apple, Innovation

Banks are failing to innovate online

Read More »