An iOS bug has allowed apps with access to Bluetooth to record user conversations with Siri and audio from the iOS keyboard dictation feature while using AirPods or Beats headsets.
The findings come from app developer Guilherme Rambo, who published a blog post about the new vulnerability on Wednesday.
“This would happen without the app requesting microphone access permission and without the app leaving any trace that it was listening to the microphone,” reads the technical write-up.
Rambo discovered the flaw while researching a drop in output quality when using Siri with modern AirPods for video conferences on his macOS device.
“Knowing that the drop in output quality when using the microphone is a physical limitation of the Bluetooth standards used by AirPods and other similar headsets, how talk to Siri had been implemented on AirPods without disrupting audio quality had always been a bit of a mystery to me,” the app developer wrote.
During his testing of various aspects of AirPods and other Apple and Beats headsets, Rambo discovered a service in the headphones code that would allow any apps using the device to read the audio data spoken into the microphone without asking for permission.
“I always have mixed feelings when I discover something like this: a mix of excitement for having found a cool new thing to investigate and learn from, and disappointment/concern that this issue has been there in the wild, sometimes for years,” he added.
Rambo then wrote an app to test the bug on other Apple devices and concluded that iPhone, iPad, Apple Watch and Apple TV were all affected.
“Even though this exploit bypasses the microphone permission, it still needs access to Bluetooth so that permission is not bypassed,” the developer explained.
“However, most users would not expect that giving an app access to Bluetooth could also give it access to their conversations with Siri and audio from dictation.”
Rambo eventually also wrote a program that bypassed Bluetooth permissions and reported the vulnerability and findings to Apple at the end of August. Earlier this week, the company reportedly fixed the vulnerability (tracked by Apple as CVE-2022-32946) and said they would reward Rambo $7000 for discovering it.
Also this week, Apple fixed a separate series of vulnerabilities that allowed arbitrary code execution with admin privileges in iOS and iPadOS devices.