Voice activated digital assistants have started to work their ways into most consumer electronic devices such as phones, iPads and even full operating systems, like Windows 10. Digital assistants provide great time saving measures as commands can be spoken instead typed out manually on awkward touchscreens or tiny keyboards. Unfortunately, researchers have discovered that a simple design flaw in the way voice recognition on these devices works makes them vulnerable to hackers.
Chinese researchers from the Zhejiang University have discovered a technique for hacking voice based assistants that affect all major brands on the market today. The technique is called a DolphinAttack; whereby researchers translate human voice commands into ultrasonic frequencies that are above the audible range of humans (over 20,000 Hz). These audio frequencies can then be played back from almost any audio device which will be picked up by a vulnerable device.
Inaudible voice commands delivered to a device can be made to do anything possible from a normal voice command. This becomes dangerous as voice commands can be anything from simple directions to start an application to commands to call specific numbers or visit a particular website. Since the commands are given inaudibly, it’s possible that a user could be setup to download malware or even make unauthorized purchases or money transfers without them ever knowing about it.
Outfitted with a standard smartphone and just a few dollars’ worth of additional hardware, researchers were able to successfully attack phones and other devices at a distance of a few inches all the way up to a few feet, depending on the make and model of the device. This means that a passenger passing you by on the subway would have all the time they needed to hijack your phone. Fortunately, because of the range restriction, devices such as your personal computer or your Amazon Echo at home are unlikely to be at risk. The other saving grace is noise. Because DolphinAttacks are driven by high frequency sounds, it’s possible to drown them out simply by have a lot of background noise.
Regardless, the fact that these systems can be exploited should be enough to give people pause. Fixes to the problem could be as simple as adding limitations to the audio frequencies that mobile devices accept or enforcing physical verification for devices that have digital assistants enabled. In the meantime, if you spend a lot of time in areas with high foot traffic, you may want to consider disabling voice commands on your phone or tablet.