How They Can Hack Your Voice Assistant: Ultrasound
Voice is what we use as our main control tool nowadays. We can easily operate our mobile devices vocally. It’s a wonderful thing in the modern world, but also a dangerous one. Depending from what perspective you look at it, it may appear to be safe. After all, the digital assistant recognizes only your voice and no one else’s. But this is all a lie.
The problem is the gap between how we hear the voice and how the computer does. The machine has an advantage over us humans. It can understand distorted sounds and ultrasonic sounds. We’ve already written about How Ultrasonic Sound Tracks Your Activity Online. Now it seems, the hidden voice commands can take control over our handhelds and home voice assistants.
A group of scientists from Georgetown University and the University of California, Berkeley started their research when Amazon Echo hit the stores. Back then a voice control was just a geek playing toy. Now it constantly runs on every phone and home gadget like a smart TV or an interactive speaker. The meaning of the research they performed cannot be overestimated.
The researchers registered a random URL and sent a command to open it. Downloading malware from a website is the most common way for it to spread. During this experiment both Google Assistant and Siri were tested.
The phones were trained by speaking ‘Ok, Google’ three times as the manual says. Then the researchers started to try to make them obey commands. Google Digital Assistant cracked almost immediately, Siri was a harder case. It gave in but with limited access to the iPhone.
When I was first asked to write about this, I was really excited and decided to conduct an experiment of my own. I have two Android phones, both being two-year-old models with Android 6.0 aboard. My friend has an iPhone 6s with iOS 10.3.3.
The first thing to do was to make sure the phone was locked, and then to see if it would respond to any of my voice commands. Both Android phones responded to ‘OK, Google’ and followed through with an internet search when I asked, but they required my fingerprint to unlock the screen and see the results. The locked phones were also able to open YouTube, notes, and contact lists, but I did have to unlock the phone in order to see any videos, notes or contacts. I was able to look up a contact, but could not dial until I unlocked my phone and proceeded.
Then I recorded my voice and added some after effects to it. When I played the recording, my phone failed to recognize my voice! So…my phones aren’t exactly flagship phones. Honestly, they are just budget models, and I don’t think their microphones are too sensitive. But you know what? After this experiment I can almost say that is an asset!
The locked iPhone reacted to ‘Hey, Siri’ and answered what time it was. But for any other action it asked to press the home button and to unlock with passcode or fingerprint. So we can be a little safer with Siri and Apple products than with the Google Home Assistant.
The next question is how can cyber criminals reach your interactive speaker. The easiest way is to record a command and then insert it into a YouTube video. Then the video goes viral and their “hacking goal” so to speak, is achieved. All the millions of people who watched that viral video got a small “gift” from the hackers. Does this intimidate you? It honestly shouldn’t. It’s not hard to not notice if all of a sudden your phone starts to open a site you did not instruct it to do so or one you did not click on. Especially google phones, usually they repeat their commands out loud after they performed them. So even if you happen to be watching a video with a hidden virus in it, you are holding it in your very hands and will instantly notice if a strange link starts to open up and can stop the phone from opening up this said virus.
Another way to reach or hack an interactive speaker is very Hollywood-like to me. A hacker or a group of hackers have to hack a TV channel and add a hidden command to it. Then they have to make sure you specifically turn on the TV on that specific channel and watch this ad they hacked. Now… how likely is that to truly happen? Highly unlikely. Any sensible hacker would find a simpler and more effective way to hack your smart home system or phone. But I do think that the pranksters can appreciate the hole in this security system.
I won’t warn you about not using the “ Ok, Google” command in public, because most of us don’t really do it much anyway. For me personally, I just don’t really want people to know what I am searching or looking for on my phone. What I do appreciate is a vocal password for the Home Assistant. For example, you can say “Ok, Google” and then add “ Switch on the heating system, *insert password of choice here*” Just make sure not to use your favorite pet’s name, just like the generic “1-2-3-4” passcodes, it is one of those passcodes hackers can easily uncode.
OK, Google… close Word!
- If you want to get rid of your old device, you can always sell it online to iGotOffer.com, the best place to trade in your old gadgets for top cash.
- Everything About Apple’s Products – The complete guide to all Apple consumer electronic products, including technical specifications, identifiers and other valuable information.
DolphinAttack: Inaudible Voice Command [Video]
Video uploaded by guoming zhang on August 31, 2017