Imagine someone picking up your locked iPhone, saying “Hey Siri, who just called me?” and getting access to pieces of your private call history. That is exactly the kind of risk CVE-2022-32870 exposed before Apple patched it. In this long read, let’s break down how this bug worked, show how it could be abused, and review how Apple fixed it—covering everything in plain English with code snippets for context.
What Is CVE-2022-32870?
CVE-2022-32870 is a security vulnerability announced by Apple in September 2022 which allowed users with physical access to a locked device to exploit Siri and learn about pieces of the call history. This was due to a logic flaw in Siri's state management—in plain terms, Siri wasn’t always careful about double-checking whether to share certain information when the device was locked.
Description
> A logic issue was addressed with improved state management. This issue is fixed in iOS 16, macOS Ventura 13, watchOS 9. A user with physical access to a device may be able to use Siri to obtain some call history information.
References:
- Apple Security Updates (Sept 12, 2022)
- NIST NVD: CVE-2022-32870
How Did the Bug Work?
Premise: Siri should *not* respond with sensitive info when a device is locked. In most cases, Siri will say “You need to unlock your iPhone to do that.” However, CVE-2022-32870 was a “logic issue.” That means under certain state conditions, Siri skipped a security check and would respond to “Who just called me?” or similar queries on locked devices.
Attack Scenario
Let’s say you lose your phone, or it’s left unattended on your desk. Someone walks by, picks up your phone, and says:
> “Hey Siri, who just called?”
On a vulnerable device, Siri might read out the name or number of the last call—even though the phone is still locked.
Technical Walkthrough
While Apple did not share the exact internal code, we can infer how the logic bug might have looked.
A simplified pseudo-code might be
func handleSiriCallHistoryRequest(request: SiriRequest) {
if device.isLocked {
if request.isCallerInfo {
// Here's the logic flaw: Directly providing the info!
provideCallHistoryInfo()
} else {
denyRequest("You need to unlock your device to do this.")
}
} else {
provideCallHistoryInfo()
}
}
In reality, correct code should have always denied the request if the device was locked, like
func handleSiriCallHistoryRequest(request: SiriRequest) {
if device.isLocked {
denyRequest("You need to unlock your device to do this.")
} else {
provideCallHistoryInfo()
}
}
The oversight, possibly due to an edge-case or specific Siri configuration, meant the block wasn’t always enforced for call history requests.
Make sure the device is locked.
2. Activate Siri by holding the home/power button or saying "Hey Siri."
Sample Exploit Demonstration:
[Locked iPhone on desk]
Attacker: "Hey Siri, who just called?"
Siri: "You had a call from Mom 10 minutes ago."
On patched devices (iOS 16+):
Siri will reply: “You'll need to unlock your iPhone to do that.”
Mitigation and Fix
Apple fixed this issue in iOS 16, macOS Ventura 13, and watchOS 9 by properly checking lock state before any call information is shared—no exceptions.
Ensured all call history queries strictly require the device to be unlocked.
Official Apple Security Note:
> A logic issue was addressed with improved state management. This issue is fixed in iOS 16, macOS Ventura 13, watchOS 9.
Update your device. Go to *Settings > General > Software Update* and install the latest OS.
- Restrict Siri on Lock Screen: Go to *Settings > Face ID & Passcode* (or Touch ID), scroll down to “Allow Access When Locked” and turn off Siri.
References
- Apple Security Update - iOS 16
- macOS Ventura 13 Security Release Notes
- NIST National Vulnerability Database: CVE-2022-32870
- Reddit: Play-by-Play of Siri Lock-screen Bypass Exploit
Conclusion
CVE-2022-32870 is a reminder that even the most familiar and trusted voice assistants can slip up due to logic issues—especially when physical access is involved. Always keep devices updated, and manage what Siri or similar services can access when your phone is locked!
> For more real-world Apple security stories, follow the Apple Security Updates Page.
>
> *Stay updated, stay secure!*
*This post is original and tailored for simple understanding—feel free to share for awareness!*
Timeline
Published on: 11/01/2022 20:15:00 UTC
Last modified on: 11/02/2022 15:48:00 UTC