A group of researches have successfully demonstrated an attack against a trio of Android devices, running either the vendor's stock Android or CyanogenMod. The attack requires the user to have installed their application first. Although the application has zero permissions, it was capable of exploiting Google Voice Search to perform commands on its behalf.
This discussion has been archived.
No new comments can be posted.
Successful 0-Permissions Attack on Android through Device's Speaker & Microphone
|
Log In/Create an Account
| Top
| 27 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(Score: 5, Funny) by Lemming on Wednesday July 30 2014, @10:50AM
People think I'm strange when I'm talking to myself. What will they think when my phone starts talking to itself?
(Score: 3, Funny) by choose another one on Wednesday July 30 2014, @11:15AM
That part is no problem - just tell em it's possessed (near enough true).
Bigger problem is when your phone starts talking to others and they think it is you: "OK Google, send folder /porn to Mum"
The really really big problem is that when we do all our interaction through our phones and our phones start talking to each other... then they don't need us anymore...
(Score: 2) by nightsky30 on Wednesday July 30 2014, @11:22AM
And then the basilisk?
(Score: 1) by Jesus_666 on Wednesday July 30 2014, @02:26PM
(Score: 2, Funny) by saracoth on Wednesday July 30 2014, @04:56PM
Just let us know when you solve the battery life problem.
(Score: 2) by meisterister on Wednesday July 30 2014, @05:41PM
I thought that everyone named their porn folder TOTALLY_NOT_PORN, so as not to arouse suspicion.
(May or may not have been) Posted from my K6-2, Athlon XP, or Pentium I/II/III.
(Score: 2, Funny) by ComaVN on Wednesday July 30 2014, @05:52PM
I store my tax reports in that folder
(Score: 3, Interesting) by BasilBrush on Wednesday July 30 2014, @11:44AM
Notice how most of the vulnerability reports theses days are about Android? It used to be Windows.
Hurrah! Quoting works now!
(Score: 4, Informative) by nightsky30 on Wednesday July 30 2014, @12:25PM
I dunno. While I think Android has gained popularity, M$ is doing a good job of maintaining its crown:
http://tech.slashdot.org/story/14/02/04/0449251/microsofts-ie-is-the-most-targeted-application-by-security-researchers [slashdot.org]
http://tech.slashdot.org/story/04/07/02/1441242/dept-of-homeland-security-says-to-stop-using-ie [slashdot.org]
http://www.infosecurity-magazine.com/view/39441/internet-explorer-vulnerabilities-double-in-2014/ [infosecurity-magazine.com]
Note: I removed "beta" from the second link, but proceed to "that other site" with caution.
(Score: 3, Insightful) by ticho on Wednesday July 30 2014, @12:36PM
Well, many people (at least over here) are abandoning Windows for various Android tablets, so that's where most of the juicy personal data is nowadays. It makes sense that security researchers who prefer darker color of their head covers are targetting it more and more.
As a sibling post notes, however, Windows is still keeping up
(Score: 2, Insightful) by barrahome on Wednesday July 30 2014, @01:59PM
So in 1 word this is bullshit. Due the fact that you must install their application. I got one better, 0 day exploit fraud bank with paypal integration. But in fact is a keylogger where i will steal all your crap. (See what i did?)
(Score: 2, Insightful) by Anonymous Coward on Wednesday July 30 2014, @04:30PM
I think the point is that this app can exceed the permissions granted it by talking to the phone.
Not the most subtle of hacks, but still and interesting security hole.
(Score: 2) by Tork on Wednesday July 30 2014, @04:50PM
FTFY.
🏳️🌈 Proud Ally 🏳️🌈
(Score: 2, Insightful) by arslan on Wednesday July 30 2014, @10:40PM
No its not, the Android ecosystem is such that there is a lot of free apps that people just install to try it out. The scrutiny in the official marketplaces are less stringent. The security blanket is that when you install it shows you what the apps will have access to and as the user you decide. In this case this app has 0 permission, so you'd feel pretty safe... until the phone makes you look like a ventriloquist with tourette's..
(Score: 4, Insightful) by Bob9113 on Wednesday July 30 2014, @03:32PM
The core vulnerability here, IMO, is Google Voice Search itself. Should your pocket computer, full of sensitive data, really be attempting to interpret everything it hears as a partially privileged command?
(Score: 2) by kaszz on Wednesday July 30 2014, @03:41PM
Correct analysis! In fact some kind of authentication should be put in place.
(Score: 3, Informative) by MrGuy on Wednesday July 30 2014, @03:48PM
It's more a "secure by default" vs. "convenient by default" distinction.
You can set Google Voice up such that you have to press a specific button to have it process the voice stream, or have it listen to everything and "recognize" streams starting with "OK Google." The first option is more secure - you can't be "hacked" by arbitrary sounds without someone physically pressing something on the hardware. The second is more convenient (if a bit creepier IMO). This is configurable within Android - you can disallow the "listen to everything in case I say OK, Google" option. It's just not the default.
Siri by default requires a button press, so doesn't have the same vulnerability. Siri IS configurable to "just listen," but on iOS this requires you to hold the phone to your ear (as if you were making a call) before it will listen (as opposed to listening for a specific phrase).
(Score: 2) by maxwell demon on Thursday July 31 2014, @07:40AM
Actually you could also make a middle ground by having it recognize your voice. Not entirely secure, but at least someone would have to get samples of your voice to exploit it. Also, it could allow you to define your own keyword, instead of simply using "Google". So an attacker would first have to find out that word (not impossible, since you say it aloud, but again, an additional hurdle).
The Tao of math: The numbers you can count are not the real numbers.
(Score: 3, Funny) by mathinker on Wednesday July 30 2014, @09:34PM
I recently saw a cartoon on the net where someone asks a co-worker for help with the voice control on their phone, and the co-worker says "Phone send contents of Porn folder to Grandma" and then says "Google search for 'greatest bestiality vacations' and send result to Boss".
(Score: 4, Insightful) by MrGuy on Wednesday July 30 2014, @03:39PM
...it's a terrible audio design.
The audio processor should (at least as well as it can) filter out it's own speaker output when processing the microphone input. Your speakerphone would work terribly if it fed everything being said by the other party back into the microphone with a slight delay (which is what causes "echo loop" when people don't understand you can listen to a computerized conference call on the phone, or on their computer, but not both).
Given that almost every Android phone I know of has speakerphone functionality, this feels like it ought to be a well-solved issue. So how the heck would this even be possible? Shouldn't the speaker output be stripped off before the microphone signal is even processed? Or maybe that's the bug here?
(Score: 1) by den Os on Thursday July 31 2014, @12:58PM
If the filter would work you will have to install the app on two phones and let them command eachother :-)
(Score: 5, Funny) by mrider on Wednesday July 30 2014, @04:02PM
All the radio stations need to do is broadcast the words "phone shut down" periodically. :)
Doctor: "Do you hear voices?"
Me: "Only when my bluetooth is charged."
(Score: 3, Interesting) by etherscythe on Wednesday July 30 2014, @07:01PM
So would that be considered phreaking, hacking, or social engineering? :-D
"Fake News: anything reported outside of my own personally chosen echo chamber"
(Score: 4, Funny) by MrGuy on Wednesday July 30 2014, @07:16PM
What's a "radio station"?
(Score: 2) by mrider on Wednesday July 30 2014, @10:14PM
Someone needs to mod this funny...
Oh and I almost forgot - get off my lawn!
Doctor: "Do you hear voices?"
Me: "Only when my bluetooth is charged."
(Score: 3, Insightful) by maxwell demon on Thursday July 31 2014, @07:42AM
Maybe cinemas should do that before the movie starts.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 1, Interesting) by Anonymous Coward on Thursday July 31 2014, @03:41AM
Android needs a Global option to disable Google Voice.
I never use it.
It is possible from 4.2.2 up to Turn Off applications via Settings - More - Application Manager
The permissions for default apps on android are scary. If you do not use it then turn it off.