Researchers cracked the pride of Apple’s latest iPhone iteration yesterday, reverse-engineering the language processing, interactive personal assistant application called Siri.
On their blog, the researchers from Applidium posted a demo and directions that will allow users to install and use the recognition engine on any device. However,given Apple’s fierce protection of its creations, if you had actually wanted to install Siri on your [insert device name here], you would have needed to do it immediately after Applidium published their findings.
Apple claims that Siri works by sending data to a remote server. What the researchers learned (you can read about how they determined this in their blog post here) is that the iPhone 4S sends raw audio data using the Speex audio codec, which is specifically tailored for VoIP. They also discovered that the protocol is very noisy. It sends a lot of information to Apple’s server and Apple’s server replies with a bunch of information as well.
The iPhone 4S communicates with a server at Apple over HTTPS for Siri messages, so the researchers figured out a way to take advantage of that setup.
“As you know, the ‘S’ in HTTPS stands for ‘secure’ : all traffic between a client and an https server is ciphered. So we couldn’t read it using a sniffer. In that case, the simplest solution is to fake an HTTPS server, use a fake DNS server, and see what the incoming requests are. Unfortunately, the people behind Siri did things right : they check that guzzoni’s certificate is valid, so you cannot fake it. Well… they did check that it was valid, but thing is, you can add your own ‘root certificate’, which lets you mark any certificate you want as valid. So basically all we had to do was to setup a custom SSL certification authority, add it to our iPhone 4S, and use it to sign our very own certificate for a fake “guzzoni.apple.com”. And it worked : Siri was sending commands to your own HTTPS sever! Seems like someone at Apple missed something,” the researchers’ blog post says.
The tricky part is that the 4S sends identifiers all over the place, so if you actually want to install Siri on your non-4S device you’ll still need an 4S identifier. The researchers did not publish their 4S identifier (for obvious reasons). They also acknowledge that Apple could blacklist fake identifiers , but they contend this is unlikely if you are running the application for personal use.