PPCGeeks.com – Siri Hacked For All Devices

Thanks to tipster Agent0Hibachi inside our forum we have now learned that some hackers have cracked Siri to work on any device. A group of hackers from Applidium posted a story explaining how they were able to hack Siri to run on any device. Seems Siri uses TCP to communicate back to a server 17.174.4.4 using port 443 (SSL). From a desktop the group realized that the IP address resolved back to a Apple server named “guzzoni.apple.com”. From here the group was able to create a fake guzzoni.apple.com address and tricked Siri into sending commands there instead of Apple’s own server. In the process the group learned that every time you send a command to siri it sends a date and timestamp back to the Apple server. To get the program to run on any device you will need to have one iPhone 4S identifier and some coding know-how. The group of hackers published some tools for future developers to create Siri-enabled applications and have encouraged fellow hacker to continue and see what they can develop.

10 Comments

ink718 November 17, 2011 at 12:45 am - Log in to Reply

haha wow! Nice!
eyeb November 18, 2011 at 12:26 am - Log in to Reply

lol imagine someone making an app that routes siri to their own site… then when someone asks siri something they’ll get “insert credit card number for more information” comments
Agent0Hibachi November 19, 2011 at 2:48 am - Log in to Reply

This was a good find. Would be a great thing to have that on android phones. Even though we do have similar apps, still would be cool to have siri as well. hell we already have everything the IPHONE already has an wishes it had.
- eyeb November 22, 2011 at 1:49 pm - Log in to Reply
  
  @Agent0Hibachi,
  Iris is a siri clone for android… even took siri and spelt name backwards lol
schettj November 19, 2011 at 10:32 am - Log in to Reply

So, there is no preshared key to two phase authentication on the web interface to Siri? This is what you get when you don’t have a security review.

The “hackers” (gag) did nothing more than spoof a DNS entry and look at the web request API (which is all they should be able to see, given SSL encryption of the contents.) One would hope there was more authentication inside the payload.

If this is actually true, and they can replay anything to the Siri web interface, it’s an even more horrible implementation than it seemed at first blush.
JohnMcD348 November 20, 2011 at 10:51 am - Log in to Reply

I bet Steve Jobs is rolling over in his grave.

What? Too Soon?
2 Bunny November 20, 2011 at 3:41 pm - Log in to Reply

Isn’t Siri now obsolete with the introduction of Iris?

– 2 Bunny
- timsmooth November 21, 2011 at 12:50 am - Log in to Reply
  
  @2 Bunny,
  
  Try speaktoit one word “speak to it” from the market it is better than iris for android and it has a female avatar who is top heavy!
shatner November 22, 2011 at 7:54 pm - Log in to Reply

can i get a .cab?
- gator352 November 26, 2011 at 7:53 am - Log in to Reply
  
  @shatner,
  
  In New York City. There are always .cabs around.