CVE-2016-4593

Vulnerability

The Siri Contacts component in Apple iOS versions prior to 9.3.3 contains an information disclosure vulnerability that allows unauthorized reading of Contact card data. The exact code path and reachable conditions are not publicly detailed, but the issue resides in how Siri accesses contact information, requiring only that the device is unlocked or accessible to a physically proximate user. Affected versions: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later running iOS before 9.3.3 [1].

Exploitation

A physically proximate attacker with access to an unlocked iOS device (or able to trigger Siri without authentication on a locked device, depending on configuration) can exploit this vulnerability via unspecified vectors. Apple's description notes only that "unspecified vectors" are used, indicating the attacker does not need special privileges or complex steps, but the required proximity is for direct physical interaction [1].

Impact

Successful exploitation allows an attacker to read arbitrary Contact card information stored on the device, leading to an unauthorized disclosure of sensitive personal data (such as phone numbers, addresses, and names) without the user's knowledge or consent [1]. No further code execution or privilege escalation is reported; the impact is limited to information disclosure.

Mitigation

Apple has released iOS 9.3.3 on July 18, 2016, which includes fixes for this vulnerability. Users should update their devices to iOS 9.3.3 or later via the Settings app or iTunes. No workarounds are provided, and Apple does not list this CVE on the CISA Known Exploited Vulnerabilities Catalog [1].