Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 19 submissions in the queue.

Alexa and Siri Are Vulnerable to 'Silent,' Nefarious Commands

posted by Fnord666 on Thursday September 07 2017, @01:46PM   Printer-friendly
from the careless-whispers dept.

MrPlow writes:

Submitted via IRC for SoyCow1937

Hacks are often caused by our own stupidity, but you can blame tech companies for a new vulnerability. Researchers from China's Zheijiang University found a way to attack Siri, Alexa and other voice assistants by feeding them commands in ultrasonic frequencies. Those are too high for humans to hear, but they're perfectly audible to the microphones on your devices. With the technique, researchers could get the AI assistants to open malicious websites and even your door if you had a smart lock connected.

The relatively simple technique is called DolphinAttack. Researchers first translated human voice commands into ultrasonic frequencies (over 20,000 hz). They then simply played them back from a regular smartphone equipped with an amplifier, ultrasonic transducer and battery -- less than $3 worth of parts.

What makes the attack scary is the fact that it works on just about anything: Siri, Google Assistant, Samsung S Voice and Alexa, on devices like smartphones, iPads, MacBooks, Amazon Echo and even an Audi Q3 -- 16 devices and seven system in total. What's worse, "the inaudible voice commands can be correctly interpreted by the SR (speech recognition) systems on all the tested hardware." Suffice to say, it works even if the attacker has no device access and the owner has taken the necessary security precautions.

Source: https://www.engadget.com/2017/09/06/alexa-and-siri-are-vulnerable-to-silent-nefarious-commands/

Original Submission

 
This discussion has been archived. No new comments can be posted.
Alexa and Siri Are Vulnerable to 'Silent,' Nefarious Commands | Log In/Create an Account | Top | 52 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by mcgrew on Thursday September 07 2017, @04:21PM (5 children)

    by mcgrew (701) <publish@mcgrewbooks.com> on Thursday September 07 2017, @04:21PM (#564634) Homepage Journal

    Hacks are a problem because programmers aren't smart enough to write good code. That "every program bigger than 'hello world' is buggy" is rank bullshit.

    --
    mcgrewbooks.com mcgrew.info nooze.org
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 3, Insightful) by bob_super on Thursday September 07 2017, @06:50PM (4 children)

    by bob_super (1357) on Thursday September 07 2017, @06:50PM (#564711)

    Writing good safe code takes time and planning.
    We're shipping next week, push anything not critical into the next OTA update.

    • (Score: 2) by JoeMerchant on Friday September 08 2017, @12:13PM (2 children)

      by JoeMerchant (3937) on Friday September 08 2017, @12:13PM (#565031)

      This particular hack is dependent on a lack of diversity to make it work. If different models of phone used slightly different front ends with different sampling rates and cutoff frequencies, then the hack would have to be tailored to each target. Instead, industry has settled on a homogeneous solution, and therefore the exploit works everywhere.

      It's like planting a field with one variety of corn - if a blight hits the field, it can take out the entire crop, and quickly, spreading from neighboring plant to neighboring plant like fire in dry grass. If, instead, the field is planted with diverse crops, or even diverse types of corn, the blight might never spread from the first plant it infects, since it is surrounded by plants that are resistant to that particular - finely tuned, highly infectious to one type of corn - blight.

      --
      🌻🌻 [google.com]

      • (Score: 2) by bob_super on Friday September 08 2017, @04:22PM (1 child)

        by bob_super (1357) on Friday September 08 2017, @04:22PM (#565176)

        I'm gonna have to disagree.
        It not lack of diversity, in this particular case. It's about convenience. Voice authentication is hard, and very sensitive microphones picking up as much frequency as possible can help.
        If the customer has to repeat orders in the same exact voice and frequency as they did during setup, they'll get rid of the useless invasive toy, which is not good for the ecosystem behind.

        The easy answer is to not bother with safety, to save design/debug time and to make it convenient (the MS school of design). And if it turns out that orders can be processed despite a frequency the human throat cannot generate, can always get back to that with an update later.
        Lack of diversity? Yay for competition! Nobody has time to do it right as they try to leapfrog each other.

        • (Score: 2) by JoeMerchant on Friday September 08 2017, @09:36PM

          by JoeMerchant (3937) on Friday September 08 2017, @09:36PM (#565338)

          "As much frequency as possible" doesn't have to stop at any particular ceiling, some can go to 38KHz, others to 39KHz, 44KHz, or even 60KHz if they wanted to. Even a small difference in sampling rate would distort this exploit to the point that it wouldn't work - it's dependent on the aliasing to always be at exactly the same frequency. A difference of 500Hz would make the aliased voice unintelligible.

          --
          🌻🌻 [google.com]

    • (Score: 2) by mcgrew on Saturday September 09 2017, @02:20PM

      by mcgrew (701) <publish@mcgrewbooks.com> on Saturday September 09 2017, @02:20PM (#565653) Homepage Journal

      Indeed. You have fast, cheap, or quality. You can have any two of them but never all three.

      --
      mcgrewbooks.com mcgrew.info nooze.org