Quiet Voice Assistant Attacks - ThreatWire

A new attack was discovered and shared during the Network and Distributed System Security Symposium on February 24 by researchers at Washington University in St. Louis. These researchers found that, within 30 feet, they could attack mobile devices via voice assistant commands that are entirely inaudible.  Dubbed SurfingAttack, the attack affects iPhones running Siri, as well as Android phones that use Google Assistant. They found that they could use ultrasonic waves, because voice assistant programs listen to frequencies that are much wider than a human voice. The microphones inside of these devices are called MEMS microphone (microelectro-mechanical systems), which have built in diaphragms that translate sound or light waves into electrical signals.

The attack requires a precise scenario to be completed. This includes software that produces correct waveforms, an ultrasonic generator to transmit the waves, a device that takes electrical signals and turns them into physical vibrations, and a microphone, hidden, that listens for the voice assistant to respond. A full demo using multiple devices can be seen on Youtube. The demo shows how the waveforms are transmitted via vibrations in the table that the phone is sitting on, allowing an attacker to force the camera to open and take a photo, make calls, or read SMS messages, which could in theory let an attacker steal SMS data (in this case, think about 2FA codes or other sensitive information). They could ask the voice assistant to turn down the volume so the user wouldn’t notice their phone responding to ‘nothing’, and they could listen in on the replies with a hidden microphone.

In their study, the researchers found that if a phone was left on a hard surface, like a metal, glass, or wood countertop or table, the ultrasonic signal could be transmitted through that physical surface up to 30 feet away, but if the surface was covered with something soft like a tablecloth, then the attack was foiled. This means the attack could be used in an environment like a restaurant with shared tables or bar seating, a library, office spaces, etc.  Luckily though, the hardware needed for the attack is somewhat obvious, so chances are you would notice someone with the necessary tools in environments like these. Unfortunately, some of the tools could be made by a DIY hacker, so they may not be as noticeable. At this time, the researchers recommend keeping your phone in a pocket or purse since it does require that it be on a hard surface for the attack to work.

Support me on alternative platforms! https://snubsie.com/support

Shop ThreatWire Merch! - https://snubsie.com/shop

USE CODE “MOVING2020” for 25% OFF ANYTHING IN THE STORE! GOOD TIL 3/4/2020

https://www.youtube.com/shannonmorse --  subscribe to my new channel!

ThreatWire is only possible because of our Patreon patrons! https://www.patreon.com/threatwire 

Links:

https://thehackernews.com/2020/03/voice-assistants-ultrasonic-waves.html

https://www.vice.com/en_us/article/bvg5dv/ultrasonic-waves-can-make-siri-share-your-secrets

https://surfingattack.github.io/papers/NDSS-surfingattack.pdf

https://source.wustl.edu/2020/02/surfing-attack-hacks-siri-google-with-ultrasonic-waves/