Hackers Can Silently Control Your Google Home, Alexa, Siri With Laser Light
A team of cybersecurity researchers has discovered a clever technique to
remotely inject inaudible and invisible commands into voice-controlled
devices — all just by shining a laser at the targeted device instead of
using spoken words.
Dubbed 'Light Commands,' the hack relies on a vulnerability in
MEMS microphones embedded in widely-used popular voice-controllable
systems that unintentionally respond to light as if it were sound.
According to experiments done by a team of researchers from Japanese and
Michigan Universities, a remote attacker standing at a distance of
several meters away from a device can covertly trigger the attack by
simply modulating the amplitude of laser light to produce an acoustic
pressure wave.
"By modulating an electrical signal in the intensity of a light beam,
attackers can trick microphones into producing electrical signals as if
they are receiving genuine audio," the researchers said in their paper
Smart voice assistants in your phones, tablets, and other smart devices,
such as Google Home and Nest Cam IQ, Amazon Alexa and Echo, Facebook
Portal, Apple Siri devices, are all vulnerable to this new light-based
signal injection attack.
"As such, any system that uses MEMS microphones and acts on this data without additional user confirmation might be vulnerable," the researchers said.
Since the technique ultimately allows attackers to inject commands as a legitimate user, the impact of such an attack can be evaluated based on the level of access your voice assistants have over other connected devices or services.
Therefore, with the light commands attack, the attackers can also hijack any digital smart systems attached to the targeted voice-controlled assistants, for example:
- Control smart home switches,
- Open smart garage doors,
- Make online purchases,
- Remotely unlock and start certain vehicles,
- Open smart locks by stealthily brute-forcing the user's PIN number.
Comments
Post a Comment