Hackers Figure Out How to Remotely Talk to Siri
An exploit like this was bound to happen. Voice recognition technology may have been an idea since Star Trek or before, but it’s only really come to the consumer front in the past few years with the rise of Android and iOS, both of which have voice-activated virtual assistants. Now hackers have, brilliantly, figured out how to remotely talk to these devices using radio signals.
On the surface, an attack like this seems potentially innocuous. So what if someone can make your virtual assistant look up information remotely? But consider the other things the virtual assistants are in charge of, such as opening web browsers. Bringing that into account, it’s easy to see the potential attack vectors: use the radio signal to open a web page that has a more advanced malware kit ready to deploy. While iOS is a bit more difficult than Android to compromise in this way, it’s not hard to imagine after the recent XCodeGhost fiasco.
It doesn’t take a super nerd to build the attack kit, either. A laptop running GNU Radio and an antenna with an amplifier is about all you need. The current exploit kit only gives the attacker about six feet of range, but like all technology, someone could most likely improve this. A bigger version of the kit can go up to an extra ten feet, but would require a good deal of space to use, like a van.
The developers were most likely amateurs at radio, and an expert could probably figure out better ways to deliver the signal. Combined with some well-done scripting magic and a bit of social engineering, someone standing in a busy mall could randomly deploy hundreds of malware kits in a matter of hours.
The most important limitation currently noted about this exploit could also be developed around with the right craftiness. This limitation is the one that requires there to be headphones with microphone attached. It’s unclear if the exploit would be useful in hacking Bluetooth devices or not. In any case, for iPhone users it is all too common that they be wearing their standard issue Apple headphones, which have included a microphone for years.
Android users have a converse benefit to the benefit of iOS users’ closed software ecosystem: Google Now is not activated by default. Siri, on the other hand, is activated from the time you turn on the phone from the factory.
Users of both systems have another advantage over potential attackers: much of the time their phones would be in a place that they could potentially notice the activation. However, a phone that was in a pocket or bag would be less easy to notice.
Research into acoustic technology seems to be ongoing, with Google more recently experimenting with using tones to share URLs between computers. It is unknown at this time whether Microsoft’s Cortana virtual assistant will be vulnerable to similar attacks.
Images from Shutterstock.