A terrifying vulnerability has been found in Apple, Google, Amazon, Microsoft, Samsung, and Huawei voice assistants by Chinese researchers.
The vulnerability affects iPhone and MacBook running Siri, any Galaxy phone any PC running Windows 10 and Amazon’s Alexa.
Zhejiang university team used a technique to translate typical vocal commands into ultrasonic frequencies too high for the human ear to hear. But these ultrasonic frequencies are easily decipherable by the microphones and software that power our always-on voice assistants.
This translation process lets the hackers take control of gadgets with just a few words uttered in frequencies very low to hear.
The researchers activated basic commands like “ Hey Siri ” and tell an iPhone to call some number or tell an iPad to FaceTime the number.
They could also force a Macbook or a Nexus 7 to open a malicious website and order an Amazon Echo to “open the back door” (with the help of a pin). Even an Audi Q3 could have redirected navigation system to a new location.
They used a smartphone with about $3 of additional hardware, including a small speaker and amp to hack each voice assistant. With their duplicatable methods with a bit of technical know-how and a few bucks.
A study from MWR Security previous month showed the Amazon Echo can be turned into a spying device with a hardware flaw in the first version.
So, the concerned customers should avoid using listening devices in public or turn off voice assistant functions.
In some cases, it’s hard to imagine an Amazon Echo being hacked with DolphinAttack. Echo is hackable by the person near to your device while in case of iPhone it seems no problem to hack from a distance. A hacker just needs to walk by you in a crowd.
A combination of hardware and software problems has enabled this hack. The software and microphones that power voice assistants like Siri, Google Home, and Alexa, can pick up inaudible frequencies.
Apple or Google could command their assistants to never obey orders from someone speaking at 20kHz only, with a digital audio filter.
In a study by Princeton and Cornell universities, researchers commanded the Google Pixel phone to take a picture and turn on airplane mode, and ask Alexa for the weather and what is on the shopping list from distances of 2 to 3 metres.
The researchers faced several cases when the sounds could only be picked up if they are coming from a source that is a few inches away from the device. But in some cases, the researchers were able to conduct the attack from several feet away e.g Apple Watch.
Voice assistants actually need ultrasonics to hear people well as compared to analyzing a voice sans those high frequencies. People don’t need ultrasonics to hear other people, but our computers rely upon them as a crutch.
Some companies are already exploiting ultrasonics for their UX with the inclusion of phone-to-gadget communication. Most notably, Amazon’s Dash Button pairs with the phone at frequencies around 18kHz, and Chromecast of Google also uses ultrasonic pairing.
Such imperceptible pairing creates a magical experience that consumers expect even in this modern age of electronics. They just ask “How it work? Who cares, it’s magic! ”.
But out of the fact that we can’t hear these mechanisms at work, we also can’t tell when they went wrong, or when they got hijacked.
They are designed to be invisible. It is the equivalent to driving a car with a silent engine. When the timing belt breaks, you only realize it when the car stops inevitably and the engine is ruined.