CVE-2023-41997 - How Siri Could Let Attackers Peek Into Your iPhone — Explained

Apple is often praised for keeping its devices secure, but sometimes vulnerabilities slip through the cracks. One notable example is CVE-2023-41997, a flaw affecting Siri's behavior on locked devices. This post breaks down what the issue was, how it worked, how Apple fixed it, and what users need to know to stay safe.

What is CVE-2023-41997?

CVE-2023-41997 is a security vulnerability in Apple devices where Siri, the voice assistant, could expose sensitive user data even if your iPhone or other device was locked. That means if someone could physically get their hands on your device, they might ask Siri questions and get personal data in return — something that definitely shouldn't happen when your device is supposed to be secure and locked.

Mac computers

This vulnerability was officially documented by Apple and is tracked under CVE-2023-41997.

The Risk: What Could an Attacker Do?

If your iPhone, iPad, Watch or Mac with Siri enabled fell into the wrong hands, someone could use Siri to access information such as:

Calendar appointments or reminders

This exposure is particularly concerning because even if you use Face ID, Touch ID, or a strong passcode, Siri could let some private data slip out anyway — all without unlocking your device.

_"Read my last email."_

4. Siri responds,​ potentially displaying or reading out sensitive information, depending on the configuration and the specific bug.

Below is a simple pseudocode representing the type of access pathway

# Device is locked, Siri is enabled on lock screen

if device.isLocked() and siri.isEnabledOnLockScreen():
    user_input = siri.listen()
    if user_input in ['Show messages', 'Read last email']:
        # Vulnerability: Should NOT show this data when locked!
        siri.speak(fetch_sensitive_data(user_input))

In a real-world attack, this would all be done via voice, not code. But this example shows that the logic flaw was in allowing Siri to access more information than appropriate when the device was locked.

How Did Apple Fix It?

Apple addressed this issue by simply *restricting the options Siri offers when a device is locked*. Now, on updated systems, Siri won't give out sensitive information without first verifying if the device is unlocked.

In the patch, Apple likely modified the internal checks, so if the device is locked, Siri will limit its functionality or refuse to respond with personal data, even if requested via voice.

// Patch example in pseudocode
if device.isLocked():
    siri.limitedMode()
    # Only allow harmless queries, e.g., "What's the weather?"
else:
    siri.fullFunctionality()

Official Fixes and Updates

The following Apple updates fix CVE-2023-41997. If you use one of these, make sure to update ASAP!

iPadOS 16.7.2

Full Apple advisory:
Apple Security Updates
CVE-2023-41997 in Apple’s list

Toggle off Siri if you want even tighter lock screen security.

3. Never leave your devices unattended. Even with the fix, physical access attacks are always a risk, so take care with your gear.

Conclusion

CVE-2023-41997 reminds us that even the best device security can be tripped up by voice assistants. Thanks to Apple’s quick fix, the risk is gone if you keep your device up to date. If you want maximum protection, it's smart to double-check your lock screen settings for Siri access.

Further Reading

- Apple Security Releases (Official)
- CVE Record for CVE-2023-41997
- Ars Technica: Apple patches

Timeline

Published on: 10/25/2023 19:15:10 UTC
Last modified on: 11/02/2023 18:05:34 UTC