i8igmac Posted September 8, 2017 Share Posted September 8, 2017 (edited) This was about a month ago. I notice all the guys I work with have iPhones and constantly use siri. So I turned on my microphone recorder. And record my friends voice when he ask siri a question. Bingo. Lol I now have his keys to his phone... A quick test. I played the voice I recorded 'Hey siri.mp3" Then I spoke the first command that come to mind. "Download a file from bigmac dot com/meterpreter and execute" And boom. I was given a meterpreter shell And all his porn accounts now belong to me ;-) So, has any one thought of ways to exploit this? Edited September 8, 2017 by i8igmac Tag Quote Link to comment Share on other sites More sharing options...
digip Posted September 8, 2017 Share Posted September 8, 2017 Now I want a burger. Thanks for making me hungry. Damn you. Quote Link to comment Share on other sites More sharing options...
bored369 Posted September 8, 2017 Share Posted September 8, 2017 Also with the dolphin attack and ultra sounds you could play it from your pocket right beside someone and have their phone freak out in their hand Quote Link to comment Share on other sites More sharing options...
i8igmac Posted September 8, 2017 Author Share Posted September 8, 2017 1 hour ago, bored369 said: Also with the dolphin attack and ultra sounds you could play it from your pocket right beside someone and have their phone freak out in their hand I was thinking this could be done with parabolic reflector. Could maybe achieve great distance with recording and transmitting... Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted September 11, 2017 Share Posted September 11, 2017 (edited) One (or many) major flaw (or flaws) with this.. There is no iPhone I know of that actually downloads a shell (being iOS as well) and executes it. From what I've found with iOS you can't download ANYTHING except for images and text - let alone execute it. And recording someone's voice while they're talking to Siri? Surely you would've been at least 2m away, how can Siri understand anything? I've tried to talk to Siri with an iPhone and she mistook "Hey Siri, call Jack" with "Looking up Saul Mack", and that was while it was in my hand. Not to mention you can't even say "Hey Siri, go to bigmac.com/meterpreter". She's BOUND to get something wrong there, being a URL. Seems like complete fiction to me. However, I reckon the idea would work in terms of spoofing being the iPhone's owner to Siri. But the way you did it sounds soo dodgy. Edited September 11, 2017 by Dave-ee Jones Quote Link to comment Share on other sites More sharing options...
i8igmac Posted September 11, 2017 Author Share Posted September 11, 2017 (edited) 6 hours ago, Dave-ee Jones said: One (or many) major flaw (or flaws) with this.. There is no iPhone I know of that actually downloads a shell (being iOS as well) and executes it. From what I've found with iOS you can't download ANYTHING except for images and text - let alone execute it. And recording someone's voice while they're talking to Siri? Surely you would've been at least 2m away, how can Siri understand anything? I've tried to talk to Siri with an iPhone and she mistook "Hey Siri, call Jack" with "Looking up Saul Mack", and that was while it was in my hand. Not to mention you can't even say "Hey Siri, go to bigmac.com/meterpreter". She's BOUND to get something wrong there, being a URL. Seems like complete fiction to me. However, I reckon the idea would work in terms of spoofing being the iPhone's owner to Siri. But the way you did it sounds soo dodgy. It is almost complete fiction. When I said download annd execute meterpreter. Siri responded far from what I instructed... My friend watch me do the hole thing. his reaction was priceless... Edited September 11, 2017 by i8igmac Quote Link to comment Share on other sites More sharing options...
Dave-ee Jones Posted September 11, 2017 Share Posted September 11, 2017 11 hours ago, i8igmac said: It is almost complete fiction. When I said download annd execute meterpreter. Siri responded far from what I instructed... My friend watch me do the hole thing. his reaction was priceless... This thread is a complete lie? Quote Link to comment Share on other sites More sharing options...
digip Posted September 12, 2017 Share Posted September 12, 2017 POC||GTFO..lol Show us some video demos. Shouldn't be hard to test possibilities, but I don't own an iPhone. Quote Link to comment Share on other sites More sharing options...
i8igmac Posted September 12, 2017 Author Share Posted September 12, 2017 8 hours ago, digip said: POC||GTFO..lol Show us some video demos. Shouldn't be hard to test possibilities, but I don't own an iPhone. Its all theoretical lol... like everything we do around here... I guess you could send contact list via email (boring). Maybe set 100 thousend reminders of pwned(kinda funny). Set a reminder to visit your favorite gay porn site and don't forget the lube. or maybe even launch a porn video... I also don't have iphone. This was something I did in fun and jokes... currently I am sitting next to my boss and his iphone. I could have alot of fun with this. Quote Link to comment Share on other sites More sharing options...
Philip From Australia Posted September 17, 2017 Share Posted September 17, 2017 I'm calling shenanigans. 1) I'm not sure you can host meterpreter on a webpage (which is what you'd need). 2) Even if you did, you don't get shell on an iPhone. 3) And it won't run unsigned apps. And I tried it, and my iPhone came up with all sorts of mispronunciations. So It would be pretty hard to get t to go to the correct page, ANYWAY. Plus, a lot of people turn Siri off from the lock screen and/or turn off 'Hey Siri', completely blocking this. Although using ultrasonics to just get siri to do stuff and so freaking out people sounds cool. Quote Link to comment Share on other sites More sharing options...
i8igmac Posted September 17, 2017 Author Share Posted September 17, 2017 10 hours ago, Philip From Australia said: I'm calling shenanigans. Absolutely. Meterpreter does not exist for iphone. I guess this is a simple form of social engineering. I can unlock the iphone and give instructions to siri or navigate threw the phone and change what I like. Complete access! This is my boss's iphone. My boss's audio clip. the potential here is unlimited or limited to what the device's capabilities. i can use this audio clip to remove his voice recognition with Siri and replace it with my own. Essentially locking him out completely. If I was also to post on his lock screen a bitcoin account for deposit... um hopefully you get the rest of this hypothetical scenario... I have only goofed around. 'Siri remind me to give my smartest employee a substantial raise' Quote Link to comment Share on other sites More sharing options...
numb3rs80 Posted September 24, 2017 Share Posted September 24, 2017 I once wrote a java script text flooder that sent 1000's of texts to a phone number so bad it jammed the entire OS and rendered it useless. You could send something like 'give me a raise and stop slaving me or the great flood continues, begin to gather animals'., something along those lines. My wife's reaction was priceless too. The script prompted for carrier, phone number, and how much to loop. I was surprised the carrier didnt block the flood. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.