iOS Bluetooth Bug Allowed Apps to Eavesdrop on User Conversations

An iOS bug has allowed apps with access to Bluetooth to record user conversations with Siri and audio from iOS keyboard dictation while using AirPods or Beats headsets.

The findings come from app developer Guilherme Rambo, who published a blog post about the new vulnerability on Wednesday.

“This would happen without the app requesting permission to access the microphone and without the app leaving any trace that it was listening to the microphone,” the technical description reads.

Rambo discovered the bug while investigating a drop in output quality when using Siri with modern AirPods for video conferencing on his macOS device.

“Knowing that the drop in output quality when using the mic is a physical limitation of the Bluetooth standards used by AirPods and other similar headsets has always been a mystery as to how talking to Siri was implemented on AirPods without sacrificing audio quality affecting me,” the app developer wrote.

During his testing of various aspects of AirPods and other Apple and Beats headsets, Rambo discovered a service in the headphone code that would allow any apps using the device to read the audio being spoken into the microphone without asking for permission.

“I always have mixed feelings when I discover something like this: a mixture of excitement that I’ve found a cool new thing to investigate and learn from, and disappointment/concern that this problem exists in the wild , sometimes for years,” he added.

Rambo then wrote an app to test the bug on other Apple devices and concluded that the iPhone, iPad, Apple Watch and Apple TV were all affected.

“Although this exploit bypasses the microphone permission, it still needs access to Bluetooth in order for the permission not to be bypassed,” the developer explained.

“However, most users wouldn’t expect that having access to Bluetooth would also give an app access to their conversations with Siri and audio from dictation.”

Rambo also eventually wrote a program that bypassed Bluetooth permissions and reported the vulnerability and findings to Apple in late August. The company reportedly patched the vulnerability (tracked by Apple as CVE-2022-32946) earlier this week and announced it would reward Rambo $7000 for discovering it.

Also this week, Apple fixed a separate set of vulnerabilities that allowed arbitrary code execution with administrative privileges on iOS and iPadOS devices.