CVE-2024-40818 is a vulnerability affecting Apple’s iOS and iPadOS platforms, as well as macOS and watchOS, where Siri can be manipulated on locked devices by an attacker with physical access to extract sensitive user data. The root cause is that Siri, when invoked on a locked device, previously allowed certain queries or commands that could reveal private information without requiring device unlock or user authentication. This behavior violates the principle of least privilege and exposes confidential data. Apple fixed the issue by restricting the options and responses Siri can provide when the device is locked, effectively reducing the attack surface. The vulnerability affects multiple Apple operating systems, including iOS 16.7.9 and later, iPadOS 16.7.9 and later, iOS 17.6 and later, iPadOS 17.6 and later, macOS Sonoma 14.6, Ventura 13.6.8, and watchOS 10.6. The CVSS 3.1 base score is 4.6, indicating medium severity, with the vector indicating physical attack vector (AV:P), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), and no impact on integrity or availability (I:N/A:N). No exploits have been reported in the wild, but the vulnerability poses a risk especially in scenarios where devices are lost, stolen, or temporarily unattended. The fix involves software updates that limit Siri’s functionality on locked devices to prevent unauthorized data disclosure.

The primary impact of CVE-2024-40818 is unauthorized disclosure of sensitive user data via Siri on locked Apple devices. This can lead to privacy violations, leakage of personal or corporate information, and potential follow-on attacks if sensitive data such as contacts, messages, or calendar entries are exposed. Since the attack requires physical access, the risk is higher in environments where devices may be lost, stolen, or accessed by unauthorized personnel. For organizations, this vulnerability could result in data breaches, loss of customer trust, and compliance issues if sensitive information is exposed. The lack of integrity or availability impact limits the scope to confidentiality only. However, the ease of exploitation without user interaction or privileges makes it a notable risk. The vulnerability affects a broad range of Apple devices globally, impacting users who rely on Siri and have not applied the security updates. The absence of known exploits in the wild reduces immediate threat but does not eliminate the risk of future exploitation.

To mitigate CVE-2024-40818, organizations and users should promptly apply the security updates released by Apple: iOS 16.7.9 and iPadOS 16.7.9, iOS 17.6 and iPadOS 17.6, macOS Sonoma 14.6, Ventura 13.6.8, and watchOS 10.6. Beyond patching, organizations should enforce strict physical security controls to prevent unauthorized access to devices, including secure storage and policies for lost or stolen devices. Disable or limit Siri access on locked devices via device management policies where possible, especially in high-security environments. Educate users about the risks of leaving devices unattended and encourage use of strong passcodes and biometric locks. Consider deploying mobile device management (MDM) solutions to enforce security configurations and monitor device compliance. Regularly audit device settings to ensure Siri and other voice assistant features do not expose sensitive data when locked. Finally, implement incident response plans for lost or stolen devices to quickly revoke access and mitigate data exposure.