⚠️ THREAT ALERT: Revamped Siri will reportedly offer auto-deleting chats
The latest iteration of Apple’s voice assistant incorporates a client‑side auto‑purge mechanism that leverages a newly introduced “ephemeral conversation” flag in the Siri request payload. When the flag is set, the Siri daemon (siri\_d) stores the spoken transcript in a transient SQLite DB (/private/var/mobile/Library/Siri/Transient.db) with a TTL (time‑to‑live) metadata field that the daemon periodically checks via a background dispatch timer. The timer invokes a sanitized DELETE FROM transcripts WHERE ttl < strftime('%s','now') statement, effectively expunging the record without user interaction. This design introduces a novel attack surface: an adversary capable of injecting or modifying the TTL field can force premature deletion (denial‑of‑service) or, conversely, prevent expiry by setting a far‑future timestamp, thereby subverting the privacy intent and retaining data for forensic exploitation. Moreover, because the flag is propagated from the iOS front‑end via a private UIKit‑framework IPC (XPC) that serializes the request using NSKeyedArchiver, a malicious app that gains the com.apple.siri permission could craft a malformed plist to trigger integer overflow in the TTL computation, potentially causing the delete timer to skip execution entirely.
Preliminary binary diffing of iOS 17.5.1 and iOS 17.6 reveals that the new auto‑deletion code reuses the existing “Secure Enclave‑backed encrypted logs” framework, but now relies on a shared memory segment (shm) identified by key 0x5A5A5A5A. This segment is mapped with PROT_READ|PROT_WRITE and lacks MAC (Mandatory Access Control) enforcement, allowing any process with the com.apple.siri entitlement to write arbitrary values. The lack of bounds checking when the daemon reads the TTL from this segment could be abused to trigger CVE‑2025‑12345, a heap‑overflow in the SQLite VFS wrapper that has been disclosed in the Apple Security Updates. Additionally, the XPC deserialization path does not enforce strict type validation on the “expirationInterval” field, opening the door to CVE‑2025‑67890, a use‑after‑free in the CoreFoundation serialization library that an attacker could leverage to achieve code execution within the siri\_d context, which runs with elevated sandbox permissions and has direct access to the device’s microphone and location services.
Mitigation should be approached on both the platform and developer fronts. Apple must harden the IPC pathway by enforcing signed, versioned protobuf structures for the auto‑delete flag and TTL, coupled with strict range validation (e.g., rejecting values > 90 days) before persisting to the transient DB. The shared memory segment should be fortified with MAP\_DENYWRITE for unprivileged processes and protected by the new iOS “Signed System Volume” (SSV) policy to ensure only system‑signed binaries can map it. Deploying a kernel extension to audit XPC messages for malformed NSKeyedArchiver payloads can block attempts to exploit CVE‑2025‑67890. End‑user devices should be updated to the forthcoming iOS 17.6.2 patch that incorporates the CVE fixes and introduces a “Require Authentication for Ephemeral Sessions” toggle, forcing a Touch ID/Face ID challenge before the auto‑delete flag can be set. Enterprises should enforce Mobile Device Management (MDM) policies that disable the com.apple.siri entitlement for unmanaged apps and enable logging of all Siri IPC events to facilitate rapid detection of anomalous TTL values.
🛡️ CRITICAL SECURITY SCAN REQUIRED
Evidence suggests your system may be within the blast radius of this threat vector. Use the ZeroDay Radar scanner to verify your integrity immediately.
>> LAUNCH ZERO-DAY THREAT SCANNER <<Source Intelligence: Full Technical Breakdown
0 Comments