Voice assistants are supposed to make your life easier, but they might also make it easier for a determined individual to steal your data. A group of US-Chinese researchers devised an attack dubbed SurfingAttack that uses ultrasonic waves to trigger Siri, Google Assistant, and Bixby. The team was able to request personal information and place phone calls without physical access to the phone.
In the past, security researchers have shown that ultrasonic waves and lasers could trigger voice assistants in the right conditions. However, the devices needed to be positioned in certain ways, and the equipment was conspicuous. SurfingAttack is a much more subtle approach because the hardware hides under a table.
When the target device is placed on the surface, a $5 circular piezoelectric disc on the underside can transmit commands to the phone. It can use the trigger phrase to wake up the assistant and then ask for information or initiate calls. The team used a laptop with text-to-speech software to send the desired commands to the ultrasonic array via Wi-Fi or Bluetooth. The disc is only 17 inches away from the phone, but the tabletop conceals the hardware from the target. In addition, the ultrasonic waves are outside the range of human hearing.
The researchers were able to take photos, read out text messages, and place calls to any phone number — an attacker could use this to swipe two-factor authentication codes or make people call premium rate phone numbers.
The target might have no idea their phone is leaking information if they’re not directly looking at it. However, the team needed to record audio output from the phone to steal data, and the sound would surely tip off anyone sitting near the phone. The solution was to tell the voice assistant to set audio output to the minimum level. A sensitive microphone under the table could record the assistant’s responses without alerting nearby people.
SurfingAttack works on almost all devices with a voice assistant enabled. The team tested phones from Apple, Google, Samsung, Motorola, Xiaomi, and Huawei — 17 models in all, and 15 of them were vulnerable. The best way to protect yourself from ultrasonic attacks like this is to keep your phone or disable the assistant trigger phrase.
- Spotify Announces ‘Car Thing’ Voice Assistant That You Can’t Buy
- Microsoft Will Mute Cortana During Setup on Some Windows Versions
- Google Researchers Just Made Computers Sound Much More Like People