Researchers recently discovered that digital assistants like Siri and Google Assistant could be hijacked using ultrasonic waves. Three years ago, researchers from China also discovered an ingenious way to access a digital assistant. Now, a team of security researchers seems to have been working on the same technology, but the newer version is more capable than the one discovered by Chinese security researchers.
SurfingAttack
SurfingAttack is a type of exploit that utilizes inaudible high-frequency sound waves to gain access and interact with the digital assistant of a smartphone or device. Although there are similar attacks reported over the years, this kind of exploit concentrates on the transmission of the ultrasonic waves through solid materials.
The team used the $5 piezoelectric transducer attached to a table to transmit ultrasonic waves and use the device's voice assistant unknown to the owner. The inaudible waves allowed security researchers to gain access to the device and do a lot of things. This includes taking pictures, making phone calls, and reading messages that come with a two-factor authentication passcode.
SurfingAttack exploit was tested to 17 devices and was confirmed to be effective on almost all of the test devices. The team revealed that Apple iPhones, Samsung Galaxy, and Google Pixel devices are vulnerable to SurfingAttack. However, the team did not specify which models were tested but claimed that only Huawei Mate 9 and Samsung Galaxy Note 10 Plus were immune to the exploit.
Other Details
The study was conducted by the collective effort of academics from various schools and universities. It includes the Chinese Academy Sciences, Michigan State University, Washington University in St. Louis, and the University of Nebraska-Lincoln. The paper produced by the security researchers is titled "Interactive Hidden Attack on Voice Assistants Using Ultrasonic Guided Waves."
It explains how the team was able to exploit voice assistants on smartphones via solid objects like glass, metal, or wood by using the inaudible ultrasonic waves. On its official website, the researchers claim that "By leveraging the unique properties of acoustic transmission in solid materials, we design a new attack called SurfingAttack that would enable multiple rounds of interactions between the voice-controlled device and the attacker over a longer distance."
How To Prevent SurfingAttack
Security researchers recommend that users must always keep an eye on their devices placed on tabletops. Also, it is wise if users could minimize touching the surface area of their smartphones with the table. Researchers also suggest that before placing the device on the tabletop, it must be placed on a soft woven fabric first. It would also help if the user used a thicker phone case made of unconventional materials like wood.
