Researchers have discovered a new means to target voice-controlled devices by propagating ultrasonic waves through solid materials in order to interact with and compromise them using inaudible voice commands without the victims’ knowledge.
Called “SurfingAttack,” the attack leverages the unique properties of acoustic transmission in solid materials — such as tables — to “enable multiple rounds of interactions between the voice-controlled device and the attacker over a longer distance and without the need to be in line-of-sight.”
In doing so, it’s possible for an attacker to interact with the devices using the voice assistants, hijack SMS two-factor authentication codes, and even place fraudulent calls, the researchers outlined in the paper, thus controlling the victim device inconspicuously.
The research was published by a group of academics from Michigan State University, Washington University in St. Louis, Chinese Academy of Sciences, and the University of Nebraska-Lincoin.
The results were presented at the Network Distributed System Security Symposium (NDSS) on February 24 in San Diego.
How Does the SurfingAttack Work?
MEMS microphones, which are a standard in most voice assistant controlled devices, contain a small, built-in plate called the diaphragm, which when hit with sound or light waves, is translated into an electrical signal that is then decoded into the actual commands.
The novel attack exploits the nonlinear nature of MEMS microphone circuits to transmit malicious ultrasonic signals — high-frequency sound waves that are inaudible to the human ear — using a $5 piezoelectric transducer that’s attached to a table surface. What’s more, the attacks can be executed from as far as 30 feet.
To conceal the attack from the victim, the researchers then issued a guided ultrasonic wave to adjust the volume of the device low enough to make the voice responses unnoticeable, while still be able to record the voice responses from the assistant via a hidden tapping device closer to the victim’s device underneath the table.
Once set up, an interloper can not only activate the voice assistants (e.g., using “OK Google” or “Hey Siri” as wake words), but also generate attack commands (e.g. “read my messages,” or “call Sam with speakerphone”) using text-to-speech (TTS) systems — all of which are transmitted in the form of ultrasonic guided wave signals that can propagate along the table to control the devices.
Thanks for reading hope you like it
Credit :- the hackers news