CVE-2023-42897 is a security vulnerability identified in Apple’s iOS and iPadOS platforms that allows an attacker with physical access to a device to leverage Siri, the voice assistant, to access sensitive user data without proper authentication. The root cause lies in insufficient verification checks within Siri’s request handling when the device is locked, enabling unauthorized data access through voice commands. This vulnerability affects multiple versions of iOS and iPadOS prior to 17.2, where Apple implemented improved security checks to mitigate the issue. The attack scenario requires the attacker to have physical possession of the device but does not require the device to be unlocked or the user to interact beyond activating Siri. Although no exploits have been observed in the wild, the vulnerability poses a significant risk to user confidentiality, as sensitive information accessible via Siri could be extracted. The vulnerability does not affect device integrity or availability directly but compromises privacy and data confidentiality. The lack of a CVSS score necessitates a severity assessment based on impact and exploitability factors. Given the ease of exploitation with physical access and the potential exposure of sensitive data, the vulnerability is considered high severity. The patch is available in iOS and iPadOS 17.2, and users are strongly advised to update promptly. This vulnerability is particularly relevant to organizations and individuals relying on Apple mobile devices for sensitive communications and data storage.

The primary impact of CVE-2023-42897 is the compromise of confidentiality through unauthorized access to sensitive user data via Siri on locked iOS and iPadOS devices. For European organizations, this could lead to exposure of corporate emails, contacts, calendar entries, messages, or other personal information accessible through Siri, potentially resulting in data breaches or leakage of intellectual property. The vulnerability requires physical access, so the risk is elevated in environments where devices may be lost, stolen, or temporarily unattended. This could affect employees using Apple devices for work, especially in sectors such as finance, government, healthcare, and legal services where sensitive data is prevalent. The impact on integrity and availability is minimal, but the breach of confidentiality can have regulatory and reputational consequences under GDPR and other privacy laws. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially given the widespread use of Apple devices in Europe. Organizations may face increased insider threat risks or targeted physical attacks to exploit this vulnerability.

1. Immediately update all Apple iOS and iPadOS devices to version 17.2 or later, where the vulnerability is patched. 2. Enforce strict physical security controls to prevent unauthorized access to devices, including secure storage and policies against leaving devices unattended. 3. Configure Siri settings to limit access when the device is locked, such as disabling 'Allow Siri When Locked' or restricting sensitive data access through Siri. 4. Educate employees about the risks of physical device access and encourage use of strong device passcodes and biometric authentication. 5. Implement mobile device management (MDM) solutions to enforce security policies and monitor device compliance with updates. 6. Consider disabling Siri entirely on devices used in highly sensitive environments if feasible. 7. Regularly audit device security settings and access logs to detect potential misuse. 8. Develop incident response plans that include procedures for lost or stolen devices to minimize data exposure.