Siri and Google Assistant hacked in new ultrasonic attack
Unsettling news for anyone who relies on smartphone voice assistants: researchers have demonstrated how these can be secretly activated to make phone calls, take photos, and even read back text messages without ever physically touching the device.
Dubbed SurfingAttack by a US-Chinese university team, this is no parlor trick and is based on the ability to remotely control voice assistants using inaudible ultrasonic waves.
Ultimately, commands are just sound waves, which other researchers have already shown can be emulated using ultrasonic waves which humans can't hear, providing an attacker has a line of sight on the device and the distance is short.
What SurfingAttack adds to this is the ability to send the ultrasonic commands through a solid glass or wood table on which the smartphone was sitting using a circular piezoelectric disc connected to its underside.
Although the distance was only 43cm (17 inches), hiding the disc under a surface represents a more plausible, easier-to-conceal attack method than previous techniques.
As explained in a video showcasing the method, a remote laptop generates voice commands using text-to-speech (TTS) Module to produce simulated voice commands which are then transmitted to the disc using Wi-Fi or Bluetooth.
The researchers tested the method on 17 different smartphones models from Apple, Google, Samsung, Motorola, Xiaomi, and Huawei, successfully deploying SurfingAttack against 15 of them.
The researchers were able to activate the voice assistants, commanding them to unlock devices, take repeated selfies, make fraudulent calls and even get the phone to read out a user's text messages, including SMS verification codes.
Responses were recorded using a concealed microphone after turning down the device's volume so this communication would not be heard by a nearby user in an office setting.