New Ultrasound Attack Can Secretly Hijack Phones and Smart Speakers

Academics in the US have developed an attack dubbed NUIT, for Near-Ultrasound Inaudible Trojan, that exploits vulnerabilities in smart device microphones and voice assistants to silently and remotely access smart phones and home devices. The Register reports: The research team -- Guenevere Chen, an associate professor at the University of Texas at San Antonio, her doctoral student Qi Xia, and Shouhuai Xu, a professor at the University of Colorado Colorado Springs -- found Apple's Siri, Google's Assistant, Microsoft's Cortana, and Amazon's Alexa are all vulnerable to NUIT attacks, albeit to different degrees. In an interview with The Register this month, Chen and Xia demonstrated two separate NUIT attacks: NUIT-1, which emits sounds to exploit a victim's smart speaker to attack the same victim's microphone and voice assistant on the same device, and NUIT-2, which exploits a victim's speaker to attack the same victim's microphone and voice assistant on a different device. Ideally, for the attacker, these sounds should be inaudible to humans.

The attacks work by modulating voice commands into near-ultrasound inaudible signals so that humans can't hear them but the voice assistant will still respond to them. These signals are then embedded into a carrier, such as an app or YouTube video. When a vulnerable device picks up the carrier, it ends up obeying the hidden embedded commands. Attackers can use social engineering to trick the victim into playing the sound clip, Xia explained. 'And once the victim plays this clip, voluntarily or involuntarily, the attacker can manipulate your Siri to do something, for example, open your door.'

For NUIT-1 attacks, using Siri, the answer is yes. The boffins found they could control an iPhone's volume so that a silent instruction to Siri generates an inaudible response. The other three voice assistants -- Google's, Cortana, and Alexa -- are still susceptible to the attacks, but for NUIT-1, the technique can't silence devices' response so the victim may notice shenanigans are afoot. It's also worth noting that the length of malicious commands must be below 77 milliseconds -- that's the average reaction time for the four voice assistants across multiple devices.

In a NUIT-2 attack, the attacker exploits the speaker on one device to attack the microphone and associated voice assistant of a second device. These attacks aren't limited by the 77-millisecond window and thus give the attacker a broader range of possible action commands. An attacker could use this scenario during Zooms meeting, for example: if an attendee unmutes themself, and their phone is placed next to their computer, an attacker could use an embedded attack signal to attack that attendees phone. The researchers will publish their research and demonstrate the NUIT attacks at the USENIX Security Symposium in August.

Read more of this story at Slashdot.