Skip to main content

Your Phone's virtual assistants like Google, Siri can be hacked with <$10 device using SurfingAttack

Yup, you read at that right. As per the new research paper published by  Qiben Yan at SEIT Lab, Michigan State University, Kehai Liu at Chinese Academy of Sciences
Qin Zhou at University of Nebraska-Lincoin, Hanqing Guo at SEIT Lab, Michigan State University, Ning Zhang at Washington University in St. Louis... your phone's virtual assistants like Google assistant, Siri, Bixby can be activated using ultrasonic sound waves (inaudible for humans). And can execute commands like read the text messages, make a call or send text messages, etc possibly most of the commands an assistant can do for the user to steal personal information.

The researchers actually tested 17 different phone models, and out of those 15 devices were successful at the first attempt itself/ without changing any OS or code. Those 15 devices were nothing but the popular devices like Pixel , Google Pixel 2, Google Pixel 3, Moto G5, Moto Z4, Samsung Galaxy S7, Samsung Galaxy S9,Xiaomi, Mi 5, Xiaomi Mi 8,Xiaomi Mi 8 Lite,Huawei Honor View 10,Apple iPhone 5, Apple iPhone 5s, Apple iPhone 6+ and Apple iPhone X.

all running at different latest and Old version of Android and iOS.

So, how did they did this or how SurfingAttack works?


Calling it as a Surfing Attack, the team demonstrated that whenever your device is kept on the table,and if they decided to hack then,  an attacker can send a voice command, which is of inaudible to normal humans to $5 PZT transducer kept at the bottom of the table. This device will accept the signals and will send the ultrasonic signals to your device. Your device will accept the signals and will reply back to their commands. 

Device on table -> Hacker decides to hack ... Attacker sends signal to transducer -> Transducer sends the ultrasonic waves -> Your device microphones picks the signal -> Activates assistant


For example :

If an attacker sends the OK Google or Hey siri, read the text message command then your device's  microphone will pick the signal from the transducer. Which will then activate the virtual assistant. This virtual assistant thinking that the you are the one asking the assistant to do the command will read the text message which will be then picked by the device kept under the table and then sent back to the attacker. And if you think your phone will read that aloud, then researchers say we were wrong, because the first step they will do before asking your assistant to read messages is they will reduce your Phone's volume to less than 3. Using the same concept. If they sent reduce volume command, then your device will decrease your volume😞😞So, you might not hear that it is reading out.



Our researchers has actually attempted a communication between another human asking for password like we ask and it was successful (and Of course, your device is capable of that when there is a technology like Google duplex). Another question, What about the vibration ? they have solution for that too..

To activate the voice assistants, the baseband signal v(t) will embed the wake words such as “OK Google” in front of the attack commands. We use existing speech synthesis techniques to generate the wake words of a specific voice, and the attack commands can be simply generated using TTS systems. However, in our experiments, we discover that after the activation command wakes up the assistant, the device creates a short vibration for haptic feedback to indicate the assistant is ready. This vibration may negatively affect the mechanical coupling, and thus reduce the attack success rate of the subsequent attack commands. In response, we insert a multi-seconds gap between the wake words and attack commands to eliminate the vibration’s impact.

This attack was successful on most of the solid materials and upto a distance of 30ft distance, concludes researchers.

I Said 15 out of 17 are successful, So what are the Other two devices that escaped/ Survived?

It was Mate 9 and Samsung Galaxy Note 10 +. those two devices has likely survived because of their curved nature. One has curved back cover and the other one has Curved front screen as well.

"In order to trace the root cause behind the failure, we install LineageOS 16.0 on both Xiaomi Mi 8 and Samsung Note 10+. With the same Android OS, we eliminate the variation brought by different OSs. We launch SurfingAttack towards these two phones equipped with the same LineageOS, and the result shows that SurfingAttack successfully attacks Xiaomi Mi 8, but still fails to attack
Samsung Note 10+, which indicates that the attack failure cannot be attributed to the OS customization. Moreover, we notice that the recorded sound of the ultrasound commands
from Samsung Note 10+ has a very weak strength, which is likely caused by signal dampening over the body of the phone. Therefore, our conclusion is that the failure of the attack is most likely attributed to the structures and materials of the phone body. "

So, what can we do to prevent this kind of attacks ?

Simple disable the assistant on your lock screen and lock your device when putting your device down. And if you are the person who thinks i don't have any sensitive data on my phone then remember here not only your data is at risk, its your Loved one's too (Remember your assistant is capable of sending message to your contact asking me for password, pictures,etc.. thinking its you).

One of the best way to protect Our loved ones is by we actually staying Safe//

What do you say..?

Credits/ and if you like to read the complete paper : https://www.egr.msu.edu/sites/default/files/surfingattack.pdf

Update : The site is now available in github as well.

Comments

Popular posts from this blog

How to connect Bluetooth in Kali Linux 2019.2 (or) How to enable Bluetooth in Kali Linux Latest version

How to connect Bluetooth in Kali Linux 2019.2 or how to enable or problem fix bluetooth on latest version of Kali Linux this would be the great problem experienced by beginners of Linux, particularly if you are Kali Linux user. The Reason is,  When you opened the bluetooth using the normal GUI, it will display "Bluetooth Turned Off, Turn on to Connect devices and receive file transfers", even when you slided the option to right side on the top right corner (which normally indicates the option is turned on). So, what you need to do ? You don't need to perform any vast operations, all you need to do is to just start bluetooth service in your Kali Linux OS. OK, but how to do it? Just follow the below steps. How to turn on Bluetooth in Kali Linux latest version. 1) Open terminal 2) Type the following command and Hit Enter sudo systemctl start bluetooth.service or you can even use this simple command   service bluetooth restart 3) Hit enter.

Error Writing the values New contents in Registry - How to Fix on Windows [Tutorial]

When we create or alter registry keys we will be sometimes faced with an error "Cannot edit (the name of the registry key) : Error Writing the value's new contents. Though this issue can be rectified sometimes with running Registry editor as Administrator,it won't work every time,as Windows Will automatically restrict us when it knows we are changing its key components. We can still gain the permissions by using the following method.. Just follow the steps.. 1) Press Windows + R Keys 2) Type Regedit 3) Hit Enter. [To Assist you better i had created the above video tutorial,check it if you need help,Thanks..] Backup Your registry first,refer below link for doing how to... https://windowsexploredforu.blogspot.com/2016/11/how-to-backup-registry-on-Windows10-Windows8.1.html (Now,go to the registry key you wish to change) 4) Right click on the Key(folder) which are available on the left pane. for example: Microsoft 5) When you right clicked,i

How to activate and deactivate slide to shutdown feature in Windows 10

We Can Shut down our Windows 10 PC in many Ways,like using alt+f4,start,run,etc here is  an another way to shut down our Windows 10 PC especially useful in touch enabled  PC's.All we need to  perform is  a simple slide. How to do it ??  Enabling Slide to Shutdown is an easy process,just follow the Upcoming steps. Step 1 : login to Your Windows 10 PC. Step 2 : Press Windows logo + R Key. Step 3 : It Will Pop up run command,on that type Slidetoshutdown Step 4 : Hit enter That's it,now pull down the screen to perform Shudown. How to disable it ?? By default,When you restart your PC,slide to shutdown option is turned off,if your PC still  displays the message,you can disable it... For that do as follows. Open control panel. [ See :   How to Open Control Panel Easily ] Click Troubleshooting. Click on the image to view full size Select improve power usage. Select next on the window that follows. Close and restart you