Is there Anybody Out There?

By Michael Fiorito, MDS

Do you use an always-on voice assistant? Enjoy the benefits, but be cautious.

Researchers have discovered a vulnerability in most of the major voice assistants. It affects every iPhone and Macbook running Siri, any Galaxy phone, any PC running Windows 10, and even Amazon’s Alexa assistant.

Using a technique called the DolphinAttack, researchers have translated vocal commands into ultrasonic frequencies that are too high for the human ear to hear, but perfectly decipherable by the microphones and software powering our always-on voice assistants. This relatively simple translation process lets them take control of gadgets with just a few words uttered in frequencies none of us can hear.

The researchers didn’t just activate basic commands like “Hey Siri” or “Okay Google,” though. They could also tell an iPhone to “call 212-444-5000″ or tell an iPad to FaceTime the number. They could force a Macbook or a Nexus 7 to open a malicious website.

In some cases, these attacks could only be made from inches away, though gadgets like the Apple Watch were vulnerable from within several feet. It might be hard to imagine an Amazon Echo being hacked with DolphinAttack.

Hacking an iPhone, however, might involve walking by you in a crowd. The intruder might have their phone out, emitting a command in frequencies you wouldn’t hear, while you’d have your own phone clutched in your hand. Perhaps you wouldn’t see as Safari or Chrome loaded a site, the site running code to install malware - the contents and communications of your phone open season for them to explore.

Voice assistants like Siri, Alexa, and Google Home can pick up inaudible frequencies–specifically, frequencies above the human ear.

User-friendliness is increasingly at odds with security. Our web browsers easily and invisibly collect cookies, allowing marketers to follow us across the web. Our phones back up our photos and contacts to the cloud, tempting any focused hacker with a complete repository of our private lives. We’ve made a Faustian bargain - our easy-to-use technology has come with a hidden cost: our own personal vulnerability. This new voice command exploit is just the latest in a growing list of security holes caused by design.

 

For now, there’s a relatively easy fix to most DolphinAttack vulnerabilities: Turn off the always-on settings of Siri or the Google Assistant on your phones and tablets and a hacker won’t be able to talk to your phone (except during those moments you’re trying to talk to it, too). Meanwhile, the Amazon Alexa and Google Home both have hard mute buttons that should do the trick for a majority of the time.

If you use always-on voice assistants, use them smartly. A door is only good if it is closed and locked at best. Do the same with any new technology.

Pulling the plug doesn't have to be your only security solution.

Don’t become part of a rising statistic — ensure your company is armed against a security hack.