DolphinAttack: Voice Assistant Apps Siri and Alexa Can Be Hacked

Mainstream Voice Assistants Including Siri and Alexa Plagued with Serious Vulnerability.

Voice assistant apps are not as reliable as we deemed them to be. According to a group of researchers from Zhejiang University, the most popular of all voice assistants namely Siri and Alexa both contain a critical flaw. It must be noted that these apps cover almost every mobile platform including iOS and Android. Therefore, whether you carry an iPhone or a Nexus, your device is at risk. 

The team of researchers managed to translate typical audio commands into ultrasonic frequencies using the DolphinAttack method. These frequencies are much higher than the normal range audible by human ear; however, microphones and the voice assistant powering software can decipher them. It is a highly simple translation process, but through this technique, it is possible to control any gadget with words that are uttered in frequencies we cannot hear.

Related: 4 Security Vulnerabilities That Affected Voice Recognition Technology

The research team stated that the commands could be anything from a simple command like “Hey Siri” to forcing the iPhone to open a malicious website or even asking Nexus 7 to call on “1234567890”, or Amazon’s Echo could be asked to “open the backdoor.” Attackers can easily push an Audi Q3 to change its navigational system settings and add a new location. The consequences are various and truly diverse, and not to forget dangerous as well. That’s because adversaries can try to manipulate the software of voice assistant in any possible way. It is safe to say that the seemingly harmless, human-friendly UI programs have huge security repercussions.

In the research paper, the team stated that (Pdf) the attacks could be made from a few inches distance so to hack gadgets like Apple Watch or Amazon Echo, the attacker has to be within the required distance. But hacking Apple iPhone was quite easy as the hacker can easily walk by you while you are on the road or at a public place. All they need to do is play their desired command in inaudible frequency. So, you can expect your browser such as Chrome or Safari to load a site, run a code, install the malware and let the cyber criminals access your phone easy to check out your communications and data.

To check how each voice assistant reacted to hacking, the researchers used a smartphone and $3 hardware including small speaker and amp. They noted that the exploitation is enabled by both hardware and software problems. The software that powers voice assistants like Google Home, Siri and Alexa, and microphones installed in the device can pick up frequencies above the average human ear limit of 20khZ and perform all sorts of tasks as narrated to them by the hacker.

DolphinAttack: Voice Assistant Apps Siri and Alexa Can Be Hacked
The $3 device used by researchers plus the full list of vulnerable devices

The Chinese research team identified that every mainstream voice assistant has the same flaw when it comes to commands rendered from above 20khZ. We can assume that the higher the level of user-friendliness the greater will be the vulnerability of any software. We use web browsers that can collect cookies without notifying us to let marketers track us on the web; we store our data on the Cloud where hackers can easily steal it to sabotage our private lives; and now there are the voice assistants that although promise to made our life easier but actually can prove to be detrimental to our privacy.

“We have tested these attacks on 16 VCS models including Apple iPhone, Google Nexus, Amazon Echo, and automobiles. Each attack is successful on at least one SR system. We believe this list is by far not comprehensive. Nevertheless, it serves as a wake-up call to reconsider what functionality and levels of human interaction shall be supported in voice controllable systems,” said researchers.

Their research will be presented at the ACM Conference on Computer and Communications Security in Dallas, Texas from October 30th to November 3rd. However, a quick solution before the official one is turning off these apps by going into settings. 

How to disable Siri on iPhone, iPad, or iPod touch?

Go to Settings > General > Accessibility > Home Button.

Under Press and Hold to Speak, select one of these options:

Siri: Siri will respond when you press the Home button.

Voice Control: Classic Voice Control will respond when you press and hold the Home button. This will also turn off Siri.

Off: There will be no response when you press and hold the Home button. This will also turn off Voice Control and Siri.

How to disable Alexa App on Android devices?

Open the Alexa app on your phone, tablet or in your web browser.

Select skills from the sidebar menu.

Find your desired skill and select it.

Tap on enable to turn it on.

Related: New App Will Stop Voice Hacks Using Smartphone Compass

Watch the demonstration here:

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.