Siri, Alexa, and other voice assistants can be hacked with inaudible commands
Malicious ultrasonic voice commands that are too high in frequency for human ears can be fed to a wide variety of voice assistants; Siri, Alexa, Google Now, S Voice, Cortana, and others are vulnerable.
By Liu Hongzuo -
"Hey Siri, they can't hear me, but you can."
Hacking has taken a strange new turn with the rise of voice assistants like iOS’s Siri and Amazon’s Alexa. Researchers from Zhejiang University discovered that voice assistants with always-on listening are vulnerable to malicious voice commands that are broadcasted using ultrasonic sound above 20,000Hz in frequency. The researchers dubbed the technique as DolphinAttack.
By using sound frequencies far outside an average human’s hearing range, these inaudible voice commands can hide in plain sight. The researchers have successfully made the devices call simulated premium hotlines (“Call/FaceTime 1234567890”) and open malicious URLs (“Open dolphinattack.com”), among other attempts, in five languages (English, Chinese, French, Spanish, German). Below is a list of experimented devices.
For the Audi Q3, the researchers managed to redirect its navigation system to another place. Different gadgets were also vulnerable at various distances – the paper mentioned that “Apple Watch can be activated with a success rate of 100% from 100 cm away”, and “the Galaxy S6 Edge can be activated with 100% (success rate) from 25 cm”. The malicious voice commands were broadcasted at 106.2dB – 113.96dB; for reference, an operating garbage truck is approximately 100dB.
The researchers were helpful enough to include an instructional guide on how to use ultrasound for voice-command hacking.
According to the research conducted (PDF here), replicating the attack is relatively affordable and straightforward. The portable version of DolphinAttack uses a mobile device, and it only required another US$3 for extra hardware – an amplifier that uses the phone’s 3.5mm port, an ultrasonic transducer (speaker), and battery. The findings revealed that DolphinAttack is hardware dependent, as the microphones on their test devices are capable of picking up ultrasonic frequencies (tested frequencies were 23kHz, 25kHz, 33kHz, 40kHz, and 48kHz).
If you needed an excuse or reason to disable voice commands on your smartphone, DolphinAttack might be a good one.
Trivia: We believe that the name DolphinAttack was a homage to the Allied Forces' Dolphin naval combat unit from RTS games Red Alert 2 and Red Alert 3, which in turn, is a reference to legitimate military dolphins in the employ of the Soviet Navy, and the U.S. Navy.
Sources: Zhejiang University via Fast Co. Design
Our articles may contain affiliate links. If you buy through these links, we may earn a small commission.