Siriously Leaky - Exploring Overlooked Attack Surfaces in Apple's Ecosystem

Explore critical security vulnerabilities discovered in Apple's ecosystem through this 45-minute DEF CON 33 conference talk that reveals how trusted everyday features can become attack vectors. Discover multiple zero-day issues found on fully updated, non-jailbroken iPhones that require no specialized tools to exploit. Learn about missing lock-state checks, Siri context confusion, race conditions, faulty Unicode parsing, and incomplete patches that enabled bypassing Face ID locks, retrieving sensitive user data, spoofing emails, and triggering daemon crashes. Examine specific vulnerabilities including how Siri and Spotlight disclosed sensitive data on locked devices (CVE-2025-24198 and CVE-2024-44235), Safari's Face ID protection bypass on private tabs (CVE-2025-30468), deceptive email spoofing techniques (CVE-2025-24225), Apple Intelligence internal prompt leaks and Private Cloud Compute data exposure to ChatGPT, and an unresolved IDOR vulnerability on Apple's support site that allowed retrieval of customer data. Gain insights into overlooked attack surfaces within Siri, Spotlight, Safari, Apple Intelligence, and Apple's official support systems that challenge assumptions about Apple's security posture.