Jump to content

Recommended Posts

This was about a month ago.

 

I notice all the guys I work with have iPhones and constantly use siri.

 

So I turned on my microphone recorder. And record my friends voice when he ask siri a question.

 

Bingo. Lol I now have his keys to his phone... 

 

A quick test. I played the voice I recorded

'Hey siri.mp3"

 

Then I spoke the first command that come to mind.

 

"Download a file from bigmac dot com/meterpreter and execute"

 

 

And boom. I was given a meterpreter shell And all his porn accounts now belong to me ;-)

 

So, has any one thought of ways to exploit this?

Edited by i8igmac
Tag
Link to post
Share on other sites

Now I want a burger. Thanks for making me hungry. Damn you.

Link to post
Share on other sites
1 hour ago, bored369 said:

Also with the dolphin attack and ultra sounds you could play it from your pocket right beside someone and have their phone freak out in their hand

I was thinking this could be done with parabolic reflector. Could maybe achieve great distance with recording and transmitting...

Link to post
Share on other sites

One (or many) major flaw (or flaws) with this..

There is no iPhone I know of that actually downloads a shell (being iOS as well) and executes it. From what I've found with iOS you can't download ANYTHING except for images and text - let alone execute it.

And recording someone's voice while they're talking to Siri? Surely you would've been at least 2m away, how can Siri understand anything? I've tried to talk to Siri with an iPhone and she mistook "Hey Siri, call Jack" with "Looking up Saul Mack", and that was while it was in my hand. Not to mention you can't even say "Hey Siri, go to bigmac.com/meterpreter". She's BOUND to get something wrong there, being a URL.

Seems like complete fiction to me.

However, I reckon the idea would work in terms of spoofing being the iPhone's owner to Siri. But the way you did it sounds soo dodgy.

Edited by Dave-ee Jones
Link to post
Share on other sites
6 hours ago, Dave-ee Jones said:

One (or many) major flaw (or flaws) with this..

There is no iPhone I know of that actually downloads a shell (being iOS as well) and executes it. From what I've found with iOS you can't download ANYTHING except for images and text - let alone execute it.

And recording someone's voice while they're talking to Siri? Surely you would've been at least 2m away, how can Siri understand anything? I've tried to talk to Siri with an iPhone and she mistook "Hey Siri, call Jack" with "Looking up Saul Mack", and that was while it was in my hand. Not to mention you can't even say "Hey Siri, go to bigmac.com/meterpreter". She's BOUND to get something wrong there, being a URL.

Seems like complete fiction to me.

However, I reckon the idea would work in terms of spoofing being the iPhone's owner to Siri. But the way you did it sounds soo dodgy.

It is almost complete fiction. When I said download annd execute meterpreter. Siri responded far from what I instructed...

 

My friend watch me do the hole thing. his reaction was priceless...

Edited by i8igmac
Link to post
Share on other sites
11 hours ago, i8igmac said:

It is almost complete fiction. When I said download annd execute meterpreter. Siri responded far from what I instructed...

 

My friend watch me do the hole thing. his reaction was priceless...

:sleep:

This thread is a complete lie?

Link to post
Share on other sites

POC||GTFO..lol

Show us some video demos. Shouldn't be hard to test possibilities, but I don't own an iPhone.

Link to post
Share on other sites
8 hours ago, digip said:

POC||GTFO..lol

Show us some video demos. Shouldn't be hard to test possibilities, but I don't own an iPhone.

Its all theoretical lol... like everything we do around here...

 

I guess you could send contact list via email (boring). Maybe set 100 thousend reminders of pwned(kinda funny). Set a reminder to visit your favorite gay porn site and don't forget the lube. or maybe even launch a porn video...

 

I also don't have iphone. This was something I did in fun and jokes... currently I am sitting next to my boss and his iphone.

 

I could have alot of fun with this.

Link to post
Share on other sites

I'm calling shenanigans. 

 

1) I'm not sure you can host meterpreter on a webpage (which is what you'd need). 

2) Even if you did, you don't get shell on an iPhone. 

3) And it won't run unsigned apps.

And I tried it, and my iPhone came up with all sorts of mispronunciations. So It would be pretty hard to get t to go to the correct page, ANYWAY.

 

Plus, a lot of people turn Siri off from the lock screen and/or turn off 'Hey Siri', completely blocking this.

 

Although using ultrasonics to just get siri to do stuff and so freaking out people sounds cool.   

Link to post
Share on other sites
10 hours ago, Philip From Australia said:

I'm calling shenanigans. 

Absolutely. Meterpreter does not exist for iphone. :lol:

 

 

I guess this is a simple form of social engineering. I can unlock the iphone and give instructions to siri or navigate threw the phone and change what I like.

Complete access!

 

This is my boss's iphone. My boss's audio clip. the potential here is unlimited or limited to what the device's capabilities.

 

i can use this audio clip to remove his voice recognition with Siri and replace it with my own. Essentially locking him out completely. If I was also to post on his lock screen a bitcoin account for deposit... um hopefully you get the rest of this hypothetical scenario...

 

I have only goofed around. 

'Siri remind me to give my smartest employee a substantial raise'

Link to post
Share on other sites

I once wrote a java script text flooder that sent 1000's of texts to a phone number so bad it jammed the entire OS and rendered it useless. You could send something like 'give me a raise and stop slaving me or the great flood continues, begin to gather animals'., something along those lines. My wife's reaction was priceless too. The script prompted for carrier, phone number, and how much to loop.

 

I was surprised the carrier didnt block the flood.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...