Security researchers have warned that voice assistants made by the likes of Amazon, Google and Apple could be ‘hacked’ by remote attackers broadcasting commands in ultrasonic frequencies.
Researchers in China found that broadcasting the commands via a loudspeaker enabled them to activate the assistant from several metres, in what they called a “DolphinAttack”.
Remote attackers could therefore theoretically trick the device into making phone calls to premium rate numbers, visit malicious websites, take photographs and issue other commands at inaudible frequencies.
They could do this in proximity to the victim or even hide these commands in online videos, the report claims.
However, the attacks won’t work if the user has locked the voice assistant to only recognize one voice; a feature available on some platforms including Google Now.
A similar US study at Princeton also demonstrated a real-world attack using inaudible voice commands on an Android phone and an Amazon Echo device “with a high success rate at a range of 2-3 metres”.
Google and Amazon say they are investigating the claims made in the reports. The Chinese Zhejiang University researchers argue that speakers used to receive voice commands need to be tweaked to filter out sounds above 20 kilohertz in order to mitigate the threat.
Ofer Maor, director of enterprise solutions at Synopsys, argued that the threat may seem remote today, but could in time become much more serious if voice assistants are used to unlock smart doors in the home.
“While the convenience factor here is clear, being able to send such embedded commands could allow us to open the door or a gate or any other sort of mechanism designed to deter intruders,” he said. “Another layer of such commands is integration with security cameras and security alarms, which again, can be turned on and off as well as configured via voice commands.”
Laurie Mercer, senior solution architect at Veracode, added that audio and voice-based security controls would evolve as researchers like this begin to explore new vulnerabilities.
“Building in security by design and the ability to adapt to new threats will help IoT producers use security as a competitive advantage,” he argued.
“Given that the best way to avoid such an attack is to turn off the device, it could have a severe impact on customer satisfaction and adoption – one that could finally make the consumer IoT market bring security up the priority list.”