Apparently Siri, Alexa, and other voice assistants are susceptible to hacks from bats and dolphins—or maybe just hackers that know how to use ultrasonic frequencies. Researchers found voice assistants are more than happy to respond to spoken commands coming from ultrasonic transmitters, which means hackers could literally tell your phone to do something without you hearing the commands.
Researchers found (PDF) they could record voice commands and run them through an ultrasonic transducer so humans couldn’t hear what was being said but smartphones still could. They were able to issue commands to call phone numbers, open websites, and even control smarthome devices.
They’re calling the threat DolphinAttack. While it seems particularly nefarious, there are limitations to what it can do. The attack presumes your smartphone is already unlocked, for example, and it doesn’t work if the hacker is more than six feet away from your phone.
The security threat was tested successfully on Siri, Alexa, Cortana, Google Now, Samsung’s S Voice, and Huawei’s HiVoice. So far DolphinAttack is just a proof of concept.
The threat works because the microphones in our smartphones, tablets, and voice assistant appliances can pick up ultrasonic sound even though we can’t hear it. The fix, apparently, is for device makers to release updates that stop devices from listening to frequencies above 20 kHz, or at least to disregard any spoken commands above that frequency.
Since this isn’t an attack that’s currently in the wild it doesn’t pose a major threat, but it’s likely we’ll see updates to the popular voice command platforms to block it. Until then, watch to see if your iPhone starts showing where to find high concentrations of flying bugs or schools of fish because you just can’t trust those bats and dolphins.
Jeff:
I always knew there was something fishy about dolphins. Their cutesy demeanour is just a façade. And don’t even get me started on bats. Any creature that sleeps upside down is not to be trusted. This means that all smart phone users need to be sure to keep their phones locked when at Sea World and around bat caves.
In all seriousness, as limited a threat as this seems, it is useful to put this knowledge out there for the community, if for no other reason than to motivate the industry to neutralise it. One should never underestimate the ingenuity and resources of a determined actor, especially for a targeted, focal attack.
Remember Steve Jobs and Woz with their blue box phone dialer?