A New Ultrasonic Hack Can Exploit Your Siri

A new hack called a SurfingAttack uses ultrasonic guided waves to communicate with a device through the voice assistant.

Apr 7, 2020 at 8:01 p.m. UTC
Updated Sep 14, 2021 at 8:26 a.m. UTC

Researchers are sounding the alarm about a new type of hack focused on smart digital assistants like the Amazon Alexa or Apple's Siri.

The hack, called a "SurfingAttack," uses ultrasonic guided waves that are imperceptible to the human ear to communicate with a device through the voice assistant. It could be used to target Ring services with door deadbolts attached or move the temperature dial on your thermostat.

Security researchers who developed the attack say it enables multiple rounds of interactions between a voice-controlled device and attackers over relatively long distances and without the need for the device to be within sight. It could even be conducted through a heavy surface, like a table.

“Humans cannot hear anything, but the voice assistants will interpret these ultrasonic sounds as a voice command, and conduct certain operations because of it,” said Qiben Yan, an assistant professor at Michigan State University’s Secure and Intelligent Things Lab, who was the lead investigator on the project. “Sending the commands to the voice assistance, we can basically control the voice assistant. There's a lot of opportunities for this when people put their phones down on a table and leave them unattended.”

Yan said hackers could launch conversations with a victim's contacts, and depending on how connected their devices are, potentially control home devices, lock or unlock a car or front door, or alter the thermometer. Such attacks could also impact two factor authentication, by reading the security code sent via text back to the hacker. 

Using a $5 off-the-shelf PZT transducer, a type of electroacoustic transducer, the researchers were able to successfully compromise the following devices. 

CoinDesk - Unknown

Table of phones that researchers compromised.

They believe that more devices could be vulnerable, including  phones protected by silicone rubber phone cases. 

There are steps people can take to prevent such attacks though. Disabling the voice assistance when your phone is locked, or making sure your phone is on a covering such as a tablecloth, can stop the ultrasonic ways from affecting it. Using phone cases of uncommon materials like wood can also help. 

The Festival for the Decentralized World
Thursday - Sunday, June 9-12, 2022
Austin, Texas
Save a Seat Now

DISCLOSURE

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.

Trending

1
CoinDesk - Unknown
Sequoia's Guide to Surviving the 2022 Bear Market

Venture capitalists have gotten increasingly frantic over the last few months.

Venture capitalists have gotten increasingly frantic over the last few months.

CoinDesk - Unknown
2
CoinDesk - Unknown
NFT Art Museums Are a Good Idea

The metaverse turns galleries global, and helps fund the arts. This article is part of “Metaverse Week."

The metaverse turns galleries global, and helps fund the arts. This article is part of “Metaverse Week."

CoinDesk - Unknown
3
CoinDesk - Unknown
How the US Can Establish Itself as a Crypto Leader

Regulators have an opportunity to map out thoughtful, strategic policy on stablecoins and beyond.

Regulators have an opportunity to map out thoughtful, strategic policy on stablecoins and beyond.

CoinDesk - Unknown
4
CoinDesk - Unknown
No, the UK Is Not Going to Make USDC and USDT Legal Tender

For “legalize” read “regulate.”

For “legalize” read “regulate.”

CoinDesk - Unknown