Voice-activated digital assistants have become one of the more pervasive technologies in the world, found on nearly every smartphone, with Apple Inc.‘s (NASDAQ:AAPL) Siri being one of the most well-known.
Once restricted to phones, these virtual helpers can now be found on a wide variety of devices. Smart speakers like Amazon.com‘s (NASDAQ:AMZN) Echo and Alphabet Inc.‘s (NASDAQ:GOOGL) (NASDAQ:GOOG) Google Home top the list. The technology is present in many home computers via Microsoft‘s (NASDAQ:MSFT) Cortana, and in an increasing number of cars, like the Audi (NASDAQOTH:AUDVF) Q3 with voice commands.
But hackers are hard at work trying to gain the upper hand in any computer technology, and voice control is high on their hit list.
The silent attack
While many methods employed by hackers require a user to make some error in judgement, like clicking a malicious link in a seemingly legitimate email, these latest attacks can be accomplished without any misstep from the user.
Researchers from China’s Zhejiang University have reportedly discovered a way to hijack the most widely used voice-controlled devices using ultrasonic frequencies that are inaudible to human hearing, but can be detected by the microphones on your smartphone and other devices. Deploying a technique they called a “DolphinAttack,” the team translated some of the most-used human voice commands into high frequencies — above 20 kHz — and then aimed them at smartphones, tablets, smart speakers, and even some in-car interfaces.
In their recently published study, the researchers tested voice control agents from some of the biggest names in technology, testing 16 in all. Siri, Google Now, and Amazon’s Alexa were all subjected to the experiment, as were Cortana, Audi voice command, and Samsung‘s (NASDAQOTH:SSNLF) S Voice.
The research team was able to use basic commands like “Hey, Siri” and “Alexa” to activate the devices, as well as successfully instructing iPhones to “call 1234567890” and an iPad to FaceTime the same number. They were able to convince Google Now to switch to airplane mode, and even successful at controlling the navigation system on the Audi. The hack was effective across every device tested, in a variety of languages.
The attacks were accomplished using a Samsung Galaxy S6 Edge smartphone, an ultrasonic transducer, a low-cost amplifier, and a battery. Excluding the smartphone, the cost of the parts necessary to build the hacking tool was less than $3.
Effective, but with limitations
There are certain limitations that currently restrict the effectiveness of the hijack. The hacking tool had a range of only five or six feet. Also, it was necessary for a user’s device to be activated in order for the hacker’s commands to be accepted, which is more likely with smart speakers than cellphones. The commands had limited effectiveness in noisy environments. And because digital assistants provide audible responses to voice requests, it’s unlikely that these attacks would pass unnoticed.
Still, this research serves as a cautionary tale. Advances in technology come with limitations and new sets of vulnerabilities all their own.
John Mackey, CEO of Whole Foods Market, an Amazon subsidiary, is a member of The Motley Fool’s board of directors. Suzanne Frey, an executive at Alphabet, is a member of The Motley Fool’s board of directors. Teresa Kersten is an employee of LinkedIn and is a member of The Motley Fool’s board of directors. LinkedIn is owned by Microsoft. Danny Vena owns shares of Alphabet (A shares), Amazon, and Apple. The Motley Fool owns shares of and recommends Alphabet (A shares), Alphabet (C shares), Amazon, and Apple. The Motley Fool has the following options: long January 2020 $150 calls on Apple and short January 2020 $155 calls on Apple. The Motley Fool has a disclosure policy.