This might be a disturbing news for those who highly rely on smart devices. A group of researchers at the Washington University discovered a new trick to attack smartphones via inaudible voice assistant commands. The researchers demonstrated how they exploited voice assistant features in smartphones to make phone calls, take photos, and read messages without even touching the device.
According to researchers, the unknown vulnerability affects all smartphones that run voice assistant features; iPhones running Siri and Android devices running Google Assistant. Dubbed as “SurfingAttack”, this attack method is a trick to remotely control voice assistants using inaudible ultrasonic waves.
How SurfingAttack Works?
The researchers stated that ultrasonic waves can be used to send commands via air. These waves propagate through solid surfaces to activate voice recognition systems with the help of some equipment.
SurfingAttack method requires three main components: a signal processing module, an ultrasonic transducer, and a tapping device. The target device is placed on a table with a microphone (to hear the assistant’s responses) and a piezoelectric transducer is attached to the bottom of it. SurfingAttack generates signals of voice commands that can propagate in the table to be received by the device’s microphone through a mechanical coupling.
The voice commands are generated using the speech synthesis and text-to-speech (TTS) Module. The controller produces the baseband signals v(t) of the voice commands or dialogues, and then transmits them to the attack device preferably through wireless. The attack device hidden beneath the table is used for ultrasonic signal modulation and voice recording. Without direct control over the voice controllable system, the attacker needs to design inaudible voice commands.
The researchers stated that they’ve performed tests on 17 phones and discovered that the attack method worked on 15 devices from four mobile manufacturers, which include Google (Pixel 1, Pixel 2, Pixel 3), Motorola (G5, Z4), Samsung (Galaxy S7, Galaxy S9), Xiaomi (Mi 5, Mi 8, Mi 8 Lite), and Apple (iPhone 5/5s/6 Plus/X).
Explaining about the SurfingAttack vector, Ning Zhang said, “If you know how to play with the signals, you can manipulate them such that when the phone interprets the incoming sound waves, it will think that you are saying a command. We did it on metal. We did it on glass. We did it on wood. They tried placing the phone in different positions, changing the orientation of the microphone. They placed objects on the table in an attempt to dampen the strength of the waves. It still worked even at distances as far as 30 feet.”
“I feel like not enough attention is being given to the physics of our computing systems. This is going to be one of the keys in understanding attacks that propagate between these two worlds,” Zhang added.
