A new type of attack called “SurfingAttack” can be used against voice assistant devices like Siri.
Voice assistants mainly popularized by Apple’s Siri have resulted in great convenience for users. After all, using voice commands, you can do a whole range of things such as playing music, calling someone or even downloading a video from the internet.
However, researchers have in the past revealed how ultrasonic waves that are not audible to the human hearing can be used to control different voice assistant devices including the aforementioned Siri, Google Assistant, and Bixby. This is possible even though technically these voice assistants are supposed to recognize the owner’s voice rather than any random voice.
Nonetheless, an emulation can be made possible as seen in the DolphinAttack concept back in 2017 but with a couple of conditions for this type of attack to occur:
- There must be a clear line of sight between the device and the ultrasound waves emitter.
- The distance should be short between the two.
Adding to this though, in a recent revelation, researchers have demonstrated [PDF] how not only can ultrasound waves be used in this way but they can also be sent through materials with considerable thickness such as a solid piece of glass or even a wooden table. They did so by attaching a piezoelectric disc at the bottom of the surface on which the smartphone was placed.
The only limitation is that again the distance was short, in this case, 17 inches amounting to 43 cm which reduces the chances of a remote attack. Nonetheless, it is much easier to hide as compared to other methods since the disk cannot be seen.
Watch the demonstration below:
The entire attack is shown in the above video which shows how the SurfingAttack software is being used to generate commands which are then used to control the assistant. The potential options to exploit this vulnerability include unauthorized use of the phone’s camera, accessing confidential data such as messages which can be used to bypass 2FA and also make phone calls.
Moreover out of the 17 smartphones tested, 15 were compromised this way which include the likes of “Apple, Google, Samsung, Motorola, Xiaomi, and Huawei.” The two models that remained safe are Samsung’s Galaxy Note 10 and Huawei’s Mate 9. This was because the phone’s construction material “dampened the ultrasonic waves.”
There are tons of other videos demonstrating SurfingAttcks on different smartphone models available here.
To conclude while this is no vulnerability that would prompt immediate action on behalf of these manufacturers, it would be wise of them to incorporate solutions for this in their future device launches.
A good one is obviously using such material that could dampen such soundwaves as seen in the above cases but other potential attack vectors also need to be considered and not just this one in isolation.