Good Afternoon Guys, Sec solutions back again with another Blog
Today we are going to look at a recent trend of attack which came to light by a group of researchers from University of Electro-communication, Michigan on signal injection attacks on microphones based on Photo acoustic affect.
They revealed that a clever technique is there to control Voice Controlled Systems by remotely injecting inaudible, invisible commands by means of shining a laser light on the targeted Device from a distance as a replacement for spoken words.
This clever attack happens only if the Devices are having a hardware vulnerability in MEMS(Micro Electro Mechanical Systems) Microphones implanted in Comprehensive Voice controlled systems such as Google Home, Nest Cam, Amazon Alexa and Echo, Apple Siri are subjected to this type of attack.
How they do?
A remote attacker can stealthily trigger the attack by merely modulating the amplitude of laser light, no user interaction is needed, no direct access is needed, all an attacker need is line of sight access to the point of Microphone of device.
By modulating the intensity of light, attacker can deceive the microphones as it is receiving the audio from a legitimate user, in case of voice recognition is enabled, attacker can build a recording of desired voice commands from relevant words spoken by the genuine user.
Researchers have said that, attackers can hijack any Digital systems which has voice control assistants, For example:
- Remotely unlock certain & start vehicles
- Opening of Smart Locks
- Online purchases
- Smart Home Switches
- Smart garage Doors.
The Larger Distance of operation depends on the intensity of Laser light, Aiming capabilities, Physical Barrier (Eg. Window) and the Absorption of Ultrasonic waves in air can also reduce range of attacks.
Demo Video of the attack from the Researchers is here
A list of voice recognition systems those are vulnerable has been published by the researchers with the requirements of Laser Power.
The researchers said, that they have spent around $600USD to setup the Device of simple laser pointer, laser driver, and a sound amplifier and a telephoto lens to focus it over longer distance.
Researchers even tried with various smartphone devices that uses voice assistants including iPhone XR, Samsung Galaxy S9, and Google Pixel 2, but they work only at short distances.
- Developers should add an extra layer of authentication to process the commands to mitigate the malicious attacks.
- Avoid Keeping your Devices in a line of sight of access
- Keep it in some Physical barrier Location from the outside location.
That’s it guys, Be happy, Be Safe.