I just love this cyber security story…

This is all just academic research (at the moment) but here is a story about exploiting the range of voice assistants, Siri, Google Assistant, Alexa and Cortana, using voice commands, issued from one device, that are inaudible to the human owners, but can activate another device. To do what? Here is a quote from the article:

“… millions of devices, from phones and laptops to speakers, lights, garage door openers and front door locks, could be remotely hijacked, using carefully crafted near-ultrasonic sounds, and forced to make unwanted phone calls and money transfers, disable alarm systems, or unlock doors.”

Jessica Lyons Hardcastle – The Register

Hey Siri, use this NUIT attack to disarm a smart-home system • The Register

I use Siri, on my iPhone and Apple Watch – as do many of you, my son’s flat is wired for Siri, a friend uses Google Home, another has an Echo Dot in nearly every room, mainly used for turning the lights on and off, but the home security system is linked into it as well. Now it appears that a inaudible sound from your laptop, delivered surreptitiously, could control your phone or disable your office alarm.

And it seems Apple devices and Siri are more open to the attack that other devices, because the malicious audio can turn the volume down on the Apple device so you do not hear Siri’s response to the attack. This voice command feature it not available on the other flavours of voice assistants tested (attacked), so they gave the attack away to the user by audibly responding.

Risk Assessment

I spend a lot of my time discussing risk with clients and trying to see whether a particular cyber security threat could harm their operations, and then working out how we will mitigate that risk.

Now Near-Ultrasound Inaudible Trojan (NUIT) attacks are only an academic research paper at the moment, but examining the risk of such attacks will be a challenge. I suppose turning off any voice control on any devices in the office is a start, as the attack could come from any Zoom call where the volume is turned up too loud. Or as suggested by Guenevere Chen and her research team, the permanent use of headphones or buds could be mandated – if the voice assistants cannot here the NUIT attack then they cannot respond.

Caution should always be exercised when allowing apps access to the microphone of your device – if unsure then say “No”.

This attack also feels more personal as it will go after our smartphones and watches, things we have with us all the time and often take for granted. A work Teams meeting could lead to a cyber attack on your personal bank account!

The fix will need to come from the manufacturers or we will need to very carefully control how we all use voice assistants!

But this story is still a fun, “what if”.

Clive Catton MSc (Cyber Security) – by-line and other articles

References

University of Texas at San Antonio. (2023). Uncovering the unheard: Researchers reveal inaudible remote cyber-attacks on voice assistant devices. UTSA. Retrieved April 4, 2023, from https://www.utsa.edu/today/2023/03/story/chen-nuit-research.html