Security Risks with Siri Shortcuts

Siri Shortcuts can perform complex and automated tasks, interact directly from the locked screen or through existing apps, and be shared between users using the app itself via iCloud. However, Shortcuts could be created for malicious purposes, such as scareware for a ransom payment. Threat actors could achieve this by using Siri’s voice for ransom demands, automating data collection from the device to the user display to convince them of the threat, and directing the user to a URL to make the ransom payment. Shortcuts could also be configured to spread to other devices through the user’s contact list. The NJCCIC recommends users avoid installing Shortcuts from untrusted sources, checking the permissions requested by Shortcuts, and using the “show actions” button before installing a third-party Shortcut. More information on Siri Shortcuts and video of the ransom attack scenario can be found on IBM SecurityIntelligence’s blog post.