Apple to fix Siri bug that exposed parts of encrypted emails – Naked Security

Apple may care about your privacy but that doesnt mean it gets it right all the time, especially when it comes to training its Siri AI assistant. Last week, a researcher went public with a glaring security hole in the way that Siri gets to know you.

Apple IT specialist Bob Gendler was tinkering around in the macOS operating system to understand more about how Apple personalizes Siri for each user. During the process, he found that the operating system was storing portions of user emails in plaintext, even when they were supposed to be encrypted.

According to Gendlers Medium post revealing the issue, Apple uses a system process called suggestd. Apple explains (as part of a help file system in the underlying BSD OS) that the program, which runs constantly, slurps content from various apps. These include Spotlight (the macOS indexing system), Mail, and Messages. It uses them to learn how you work and what youre interested in, using it for things like news personalization.

When it read this information, it stores it in the snippets.db file inside the macOS Suggestions folder. Even emails encrypted with Secure/Multipurpose Internet Mail Extension (S/MIME), a technology that uses public and private keys to digitally sign and protect emails, didnt escape. Suggestd stored the plaintext versions with no encryption at all in the database.

An attacker would need full disk access to your system files to look at this information, because macOS protects it with its System Integrity Protection feature, an OS X El Capitan-era security measure that ring fences important system files. However, we know from recent problems that some people have needed to turn this off, and Gendler says that any program with full disk access in macOS could potentially harvest the data. Because Apples Finder (the equivalent of Windows File Explorer) has full access, a rogue AppleScript program could do it.

How do you stop macOS from storing your secret emails in plaintext? Simply turning off Siri wont do it, because suggestdis still working behind the scenes. Instead, you can do it manually by entering a command in your terminal window (you dont need to have root access to do it):

If you want to quickly stop Siri learning from all of your apps, open System Preferences, and then Siri. Click About Siri & Privacy, and then deselect all your apps in turn.

These solutions only work on a per-user basis, but Gendler also provides a longer script that you can run to turn off Siri-based Apple Mail snooping for all users on the system.

If an attacker could get malware on a victims Mac with full disk access, there is a chance they could read sensitive material from the snippets.db file, but the stars would have to align. Its serious, but perhaps not as serious and visible a privacy issue as Apples revelation earlier this year that it was letting contractors listen to Siri recordings. It revised its policy on that quickly enough, but Gendler complains that it dragged its heels for 100 days after he reported this new issue, omitting a fix from several security updates across more than one OS version. He said:

For a company that prides itself on security and privacy, the lack of attention to detail on an issue like this completely and totally surprises me. It brings up the question of what else is tracked and potentially improperly stored without you realizing it.

Eventually, Apple sent him the instructions for turning off Siri-based app learning via system preferences that weve just given you.

Apple saidits aware of the issue and says it will address it in a future software update.

See the rest here:
Apple to fix Siri bug that exposed parts of encrypted emails - Naked Security

Related Posts
This entry was posted in $1$s. Bookmark the permalink.