Advertisement

Siri and Alexa can be exploited with ultra-sonic commands

Alexa, tell me a joke. Alexa, set a timer. Alexa, install malicious software. Wait, what? Voice assistants are handy because they’re always listening, but hackers have found a way to turn that against us, according to a new study reported via New Scientist. Voice assistants including Amazon Alexa, Apple’s Siri, Google Now, Microsoft’s Cortana, and Samsung S have been hacked by a team of researchers at Zhejiang University in China using ultra-sonic voices.

If you’ve ever been watching a YouTube video that says something like “OK Google,” or “Xbox, turn on,” you’ve seen the first step of the equation in action. These voice assistants are pretty smart, but they can’t tell the difference between live and recorded voices. The research team took those voice recordings and converted them into high-pitched versions outside the range of human hearing and found they were still able to send commands to these electronic devices.

Using these recordings, they were able to do things like open malicious websites, initiate voice and video calls to listen to the device’s surroundings, and even send text messages.

Not all hacks are created equal

The researchers did note that some devices were tougher to hack than others. The recordings had to be played pretty close to the devices – as close as 2 centimeters away depending on conditions. Siri required a recording of its user, and wouldn’t respond to just any voice.

There are also a few measures that could be implemented on future iterations of the devices, or maybe even through software updates. Decreasing the hearing range of the devices to register only human-frequency voices is one simple step, as is limiting the commands they can execute without special permissions. I don’t know about you, but I’d love to have a voice-based password.

“Alexa, order me a 10-pound bag of gummi bears,” I would say. “Additional permissions required to execute this command,” it would then reply. “Please provide an authorization code.”

“Authorization code Omega Two-One-Seven Tango,” I would reply.

Either way, this is something companies like Amazon, Apple, and Google clearly need to be thinking about, along with Microsoft and its Cortana integration in Windows 10. It’s only theoretical, and the fixes seem pretty easy, but it is still a possibility.

New Scientist

Eric Frederiksen

Eric Frederiksen has been a gamer since someone made the mistake of letting him play their Nintendo many years ago, pushing him to beg for his own,...

Advertisement

Advertisement

Advertisement