CVE-2024-40853 is a vulnerability in Apple’s iOS and iPadOS operating systems that allows an attacker to leverage Siri voice assistant functionality to enable the Auto-Answer Calls feature on a locked device. Normally, Auto-Answer Calls is a user-configurable accessibility feature that automatically answers incoming calls after a set delay. The vulnerability arises because Siri, when invoked on a locked device, could be tricked into enabling this feature without requiring authentication or user interaction. This could allow an attacker in physical proximity to the device to cause it to automatically answer calls, potentially enabling eavesdropping or unauthorized access to conversations. The vulnerability was addressed in iOS 18 and iPadOS 18 by restricting the options Siri can offer when the device is locked, preventing unauthorized enabling of Auto-Answer Calls. The CVSS 3.1 base score is 5.9, indicating a medium severity level. The vector indicates local attack vector (AV:L), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), and low impact on confidentiality, integrity, and availability (C:L/I:L/A:L). There are no known exploits in the wild at the time of publication. This vulnerability primarily affects Apple mobile devices running iOS and iPadOS versions prior to 18.

The primary impact of this vulnerability is on user privacy and confidentiality. By enabling Auto-Answer Calls without user consent, an attacker could listen in on conversations or gather sensitive information through calls answered automatically. This could lead to unauthorized surveillance, data leakage, or exposure of confidential discussions, particularly in corporate or government environments where sensitive communications occur. The integrity and availability impacts are low but present, as unauthorized call answering could disrupt normal device usage or lead to social engineering attacks. Since exploitation requires physical proximity or voice access to the device, remote exploitation is unlikely, limiting the scope somewhat. However, given the widespread use of Apple devices globally, especially in enterprise and government sectors, the risk is significant until devices are updated. The vulnerability could be leveraged in targeted attacks against high-value individuals or organizations.

To mitigate this vulnerability, affected users and organizations should promptly update all iOS and iPadOS devices to version 18 or later, where the issue is fixed by restricting Siri’s capabilities on locked devices. Until updates are applied, users should consider disabling Siri access from the lock screen to prevent unauthorized voice commands. Additionally, disabling the Auto-Answer Calls feature entirely or restricting its use to trusted environments can reduce risk. Organizations should enforce mobile device management (MDM) policies that restrict Siri usage and lock screen features on corporate devices. Physical security controls to prevent unauthorized access to devices and user training to recognize suspicious behavior can further reduce exploitation likelihood. Monitoring for unusual call answering behavior may help detect exploitation attempts. Apple’s official security advisories and updates should be followed closely for any further patches or guidance.