Beware: New research has found a scary way for attackers to secretly hack your iPhone's virtual assistant.
Virtual assistants like Siri and Alexa make our lives astonishingly easier—but they might leave us more vulnerable, too. According to researchers at the University of Michigan and the University of Electro-Communications, Tokyo, a security flaw in the assistants’ microphones could put our devices (and our privacy) at risk. Their study, published in a paper last year, revealed that hackers can take over voice-controlled devices like iPhones using tools as simple as laser pointers.
How a laser pointer can hack your iPhone
Believe it or not, devices with virtual assistants like Siri respond to light waves the same way they do to sound waves, the study found. By pointing a laser beam at the microphone, the researchers could trick a device into accepting commands as though it had heard a verbal cue. “It’s just like ‘speaking’ over a light beam, in such a way that the microphone can ‘hear’ it but of course your ears cannot,” says Randy Pargman, senior director for Binary Defense, a cybersecurity company.
After spending seven months testing the hack on devices enabled with Google Home, Amazon’s Alexa, and Apple’s Siri, the researchers discovered that they could transmit light commands from hundreds of feet away with items ranging from $14 laser pointers to flashlights.
What this means for personal security
Once a hacker hijacks a voice-controlled assistant, they can access anything that requires a voice command. Those who use Siri to simply keep a shopping list or tell them the weather are at low risk, according to Pargman. But this attack “is much more concerning for people who have their security connected to voice commands,” he says. The hacker would be able to turn off home security systems, order items online using saved credit card info, or even access medical devices that are synced with the assistant.
This attack can also work by shining the laser through a window, raising concerns about security when users are not home. In one instance, researchers successfully sent light commands through a window to a Google Home inside another building more than 200 feet away.
Has this ever actually happened?
Thankfully, the researchers said they do not know of any cases where an attacker has used light commands to control a device. Though the study demonstrated this technique in several real-world scenarios, Pargman noted that it would be tough to replicate. “It requires just the right combination of a sophisticated attacker who would go through a lot of effort to break into a house and a victim who has a lot of security devices connected through their digital assistant,” he says. “It also requires the digital assistant to be placed near a window, visible to a nearby location [where] the attacker can set up their equipment.
Hoping to prevent future attacks, the study’s authors shared their findings with companies whose products are vulnerable, including Amazon, Apple, and Google. The companies have said that they will investigate the potential security issue but reassured users that such an attack is unlikely.
How to protect your iPhone
Concerned about your privacy? To protect your iPhone against light commands, Pargman recommends keeping it away from windows and avoiding leaving it out where others can access it. “If a laser does not have a straight-line path from the outside to the microphone, it can’t be used,” he says. The same goes for other voice-controlled devices like Alexa and Google Home
Users should also think carefully about the privacy implications of having a voice-controlled device in the home, according to Pargman. Anyone from cybercriminals to house visitors to children can give commands to a virtual assistant, so “be smart about how much control you give them over your security and the things you care about,” he advises.
Sources:
LightCommands.com: “Laser-Based Audio Injection on Voice-Controllable System
The Michigan Engineer News Center: “Researchers take control of Siri, Alexa, and Google Home with lasers
Randy Pargman, senior director for Binary Defens
The Washington Post: “Hackers can hijack your iPhone or smart speaker with a simple laser pointer—even from outside your home”
Comments
Post a Comment