Apple has patched a security flaw that could have let apps on iOS and MacOS with Bluetooth access eavesdrop on Siri conversations.

The Hacker News reports that app developer Guilherme Rambo is credited with uncovering and reporting the bug to Apple in August 2022.

The vulnerability is dubbed SiriSpy and is tracked with the identified CVE-2022-32946, with Apple saying, “an app may be able to record audio using a pair of connected AirPods” in its description of the flaw.

Apple said it had addressed the Core BlueTooth issue with improved entitlements in iOS 16.1.

However, Rambo explained that the floor didn’t only relate to Apple AirPods.

“Any app with access to Bluetooth could record your conversations with Siri and audio from the iOS keyboard dictation feature when using AirPods or Beats headsets,” he said in a blog post.

“This would happen without the app requesting microphone access permission and without the app leaving any trace that it was listening to the microphone.”

Rambo explained that the flaw relates to Apple’s DoAP service for Siri and Dictation support included in AirPods.

Essentially, a malicious actor could develop an app that connects to AirPods via Bluetooth and records audio in the background.

According to the report, exploitation requires the app to be granted Bluetooth access. However, most users granting Bluetooth permissions likely won’t expect that it could allow access to their conversations with Siri and audio from dictation.

Notably, the vulnerability could be more dangerous when exploited in MacOS.

Exploiting the flaw in MacOS could let an attacker bypass the Transparency, Consent, and Control security framework, meaning any app can record Siri conversations without requesting permissions.

Apple says it has patched the Core Bluetooth issue in an update for the iPhone 8 and later, all iPad Pro models, iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later.

It has also patched the issue in all supported versions of MacOS.

