Stories
Slash Boxes
Comments

SoylentNews is people

'Surfing Attack' Hacks Siri, Google With Ultrasonic Waves

posted by Fnord666 on Thursday March 05 2020, @02:08PM   Printer-friendly
from the can-you-here-it-now? dept.

upstart writes in with an IRC submission for Bytram:

'Surfing attack' hacks Siri, Google with ultrasonic waves: Researchers use ultrasound waves vibrating through tables to access cellphones:

Attacks on cell phones aren't new, and researchers have previously shown that ultrasonic waves can be used to deliver a single command through the air.

However, new research from Washington University in St. Louis expands the scope of vulnerability that ultrasonic waves pose to cellphone security. These waves, the researchers found, can propagate through many solid surfaces to activate voice recognition systems and -- with the addition of some cheap hardware -- the person initiating the attack can also hear the phone's response.

The results were presented Feb. 24 at the Network and Distributed System Security Symposium in San Diego.

"We want to raise awareness of such a threat," said Ning Zhang, assistant professor of computer science and engineering at the McKelvey School of Engineering. "I want everybody in the public to know this."

Zhang and his co-authors were able to send "voice" commands to cellphones as they sat inconspicuously on a table, next to the owner. With the addition of a stealthily placed microphone, the researchers were able to communicate back and forth with the phone, ultimately controlling it from afar.

[...] Zhang said the success of the "surfing attack," as it's called in the paper, highlights the less-often discussed link between the cyber and the physical. Often, media outlets report on ways in which our devices are affecting the world we live in: Are our cellphones ruining our eyesight? Do headphones or earbuds damage our ears? Who is to blame if a self-driving car causes an accident?

"I feel like not enough attention is being given to the physics of our computing systems," he said. "This is going to be one of the keys in understanding attacks that propagate between these two worlds."

The team suggested some defense mechanisms that could protect against such an attack. One idea would be the development of phone software that analyzes the received signal to discriminate between ultrasonic waves and genuine human voices, Zhang said. Changing the layout of mobile phones, such as the placement of the microphone, to dampen or suppress ultrasound waves could also stop a surfing attack.

But Zhang said there's a simple way to keep a phone out of harm's way of ultrasonic waves: the interlayer-based defense, which uses a soft, woven fabric to increase the "impedance mismatch."

In other words, put the phone on a tablecloth.

Original Submission

 
This discussion has been archived. No new comments can be posted.
'Surfing Attack' Hacks Siri, Google With Ultrasonic Waves | Log In/Create an Account | Top | 5 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 4, Insightful) by Booga1 on Thursday March 05 2020, @05:38PM (4 children)

    by Booga1 (6333) on Thursday March 05 2020, @05:38PM (#967007)

    Or you know, turn the feature off? If you're in that special category of being a high value target, you should probably be turning off all these extra features.
    No voice assistant.
    No Bluetooth.
    No WI-FI.
    No NFC.
    No cloud sync/backups.
    No payment system(Apple pay, Samsung Pay, etc...)
    I'm probably not thinking of some others. Suggestions welcome.

    This isn't going to be an issue at most restaurants or other places people sit at tables with strangers in the general vicinity. At the very least the attacker needs to be within physical range AND the phone laying on a surface they have "control" over.
    I do love these proof of concept attacks, but I just can't see them becoming a common source of attacks.

    Starting Score:    1  point
    Moderation   +2  
       Insightful=2, Total=2
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   4  

  • (Score: 4, Insightful) by Kitsune008 on Thursday March 05 2020, @06:23PM (1 child)

    by Kitsune008 (9054) on Thursday March 05 2020, @06:23PM (#967024)

    I think I will be sad when I can no longer get an old school flip phone[1] to connect to the cell network. :-(

    [1] ZTE model Z222

  • (Score: 2) by NotSanguine on Thursday March 05 2020, @07:28PM

    by NotSanguine (285) <{NotSanguine} {at} {SoylentNews.Org}> on Thursday March 05 2020, @07:28PM (#967049) Homepage Journal

    Or you know, turn the feature off? If you're in that special category of being a high value target, you should probably be turning off all these extra features.
    No voice assistant.
    No Bluetooth.
    No WI-FI.
    No NFC.
    No cloud sync/backups.
    No payment system(Apple pay, Samsung Pay, etc...)

    I'm most certainly not a "high-value target" but I do those things as a matter of course.

    I also disable GPS and Google location services.

    I'd love to disable carrier tracking, but it is, well, you know, a phone. And I'd like to be able to send/receive phone calls. Text messages too, although more and more of my contacts are moving to Signal [signal.org], with iPhone users lagging, as they have to jump through hoops to get away from iMessage.

    --
    No, no, you're not thinking; you're just being logical. --Niels Bohr

  • (Score: 2) by corey on Thursday March 05 2020, @08:43PM

    by corey (2202) on Thursday March 05 2020, @08:43PM (#967085)

    Done all that. And I'm no high value target, just care about privacy.

    "Hey Siri, apply a low pass filter with a roll of frequency of 5 kilohertz."

    Done.