SurfingAttack, how ultrasound can violate Siri and Google Assistant

Who I am
Aina Prat Blasi
Author and references

Is it possible to activate the voice commands of virtual assistants, such as Google Assistant and Siri, without using the human voice? Yes, it's called SurfingAttack and it uses ultrasound. This is the conclusion of a research group from Washington University in St. Louis that has shown how the propagation of ultrasonic waves through surfaces such as the table can activate speech recognition systems and give them some commands.

A scenario that opens up a deep vulnerability that can be exploited by attackers to access smartphone content without the owners' knowledge. "The ultrasounds - it says - do not emit any sound, but can still activate Siri and make him make calls, take pictures or read the contents of a message received". Ultrasonic waves are not perceptible to the human ear, but they are to the microphone of a mobile phone. “If you know how to play with the signals, you can manipulate them in such a way that when the phone receives sound waves it will think you are giving a command,” explains Ning Zhang, assistant professor of computer science and engineering at McKelvey School of Engineering.

To conduct the experiment, the researchers placed a microphone and a piezoelectric transducer (PZT), which converts electricity into ultrasonic waves, and a waveform generator to send the right signals under a table. By managing everything through software installed on a PC, it was enough to send coded commands to the smartphone placed on the table to get the desired action from the virtual assistant.

The assistant was immediately asked to turn the volume down. In this way, the user cannot hear the responses in an environment with a moderate level of noise. Subsequently, the order was given to read the received message which contained the code for two-factor authentication for a banking service. The response was heard from the microphone under the table, but not from the victim.

Of course, for the attack to be successful, the user does not even have to notice that the display of his device is illuminated. The team tested 17 different smartphone models from various brands (Google, Motorola, Samsung, Xiaomi, Huawei and Apple). All but the Huawei Mate 9 and Galaxy Note 10+ proved vulnerable to attack. According to the researchers, the reason could be the curved design adopted by the devices and the materials used that affect the signals.

The test also worked on surfaces of different materials - such as metal, glass and wood - and by placing the devices in different positions. In any case, the attack was successful with some more difficulties just using the plastic. So how can you protect yourself from these potential attacks?

The researchers' response is directed towards software. The idea would be to develop a software capable of differentiating ultrasonic waves from human voices. Or, one could intervene on the design and design assuming - for example - a different positioning of the microphone to dampen the ultrasonic waves. Meanwhile, the user could use a soft fabric - such as a tablecloth - on which to place their smartphone.

Galaxy Note 10+ is available for purchase on Amazon with one discount of EUR 250 compared to the list price.  

add a comment of SurfingAttack, how ultrasound can violate Siri and Google Assistant
Comment sent successfully! We will review it in the next few hours.