[HN Gopher] SurfingAttack: attack on voice assistants using ultr... ___________________________________________________________________ SurfingAttack: attack on voice assistants using ultrasonic guided wave Author : seiters Score : 125 points Date : 2020-02-06 14:41 UTC (8 hours ago) (HTM) web link (surfingattack.github.io) (TXT) w3m dump (surfingattack.github.io) | [deleted] | emptybits wrote: | Disable your locked phone from always listening for "OK Google" | or "Hey Siri". Protected, no? Their list of five ways to "defend | against SurfingAttack" doesn't include this obvious one. i.e. If | you want to give a voice command, pick up your phone and press a | button to speak. Protected and still pretty darn convenient IMO. | | Otherwise, great project and succinct video proof of how clever | conveniences often conflict with security. | seiters wrote: | Thanks for the comment. This defense works: but you have to | remember to lock your phone when you put it down. | rvz wrote: | Absolutely this. This is exactly the same advice I gave earlier | to defend against this SurfingAttack and yet somehow I was | downvoted for no reason. Oh dear... | rvz wrote: | Well this is why you disable the "Ok Google" / "Hey Google" | hotword or "Listen for Hey Siri" or always listening features and | congrats you are immune to this attack. Job done for your phones. | | Perhaps a more interesting experiment would be to try this on | Alexa, HomePods and Google Home devices. | Animats wrote: | Coming soon to a Starbucks near you. | trhway wrote: | It worked well at the Cuban embassy | https://spectrum.ieee.org/semiconductors/devices/how-we-reve... | ElijahLynn wrote: | Was thinking about this the other day, when I heard the assistant | trigger when there was _zero_ sound to prompt it. And was | thinking of an attack where someone can literrally trigger a | listen from outside your house. Especially dangerous because the | default on a new Google Home (max hub nest truck whatever they | call it) is to not have an audible prompt on a trigger. | | So an attacker can literally just listen in with a press of a | button. Probably gonna have to turn off this feature altogether | for the immediate future. | jmole wrote: | How exactly are they going to listen in? Are they on the other | end of the line? | nateferrero wrote: | If they can get it to listen, they can theoretically have it | dial a number | squarefoot wrote: | Or call for a fake SWAT raid to the same house, so that the | owner is either being shot or imprisoned. If that can | really be triggered from distance without breaking in, it | would make it the perfect revenge weapon. | sirbranedamuj wrote: | The default _used to be_ to have the sound chime. Then the | default changed and it stopped doing it one day. I turned it | back on and I'm glad I did - it has so many phantom activations | that it's made me even more wary about having them in my house | to begin with. | up6w6 wrote: | There is another very similar attack that uses laser beans | instead of sound waves but this looks less efficient because of | the distance limitation. | | https://news.ycombinator.com/item?id=21453554 | rickdeckard wrote: | There's also the big difficulty to harvest laser beans... | | But seriously, I wouldn't say this one is less efficient, both | attacks are quite different in scope. The laser-based attack | requires line-of-sight to the device and apparently works only | on stationary home-assistants (i.e. your Google Home), while | this ultrasonic method explicitly targets Smartphones and has | potential for wide unfocused attacks at public spaces (i.e. by | rigging a table in a coffee-shop). | hansschouten wrote: | Interesting attack. Reminds me of the DolphinAttack | (https://arxiv.org/abs/1708.09537) | anfractuosity wrote: | Also there's the 'Audio Hotspot Attack' - | https://ieeexplore.ieee.org/document/8906174 | | Which uses a parametric speaker, which uses a number of | ultrasonic transducers which "emit amplitude-modulated | ultrasounds that will be self-demodulated in the air" | Jernik wrote: | This requires the phone to be unlocked to do most of this, | doesn't it? What is the attack vector here, someone leaving their | phone unlocked on a table and not paying attention to the screen? | arianvanp wrote: | Google phones push you hard in their UI wizards to enable auto- | unlock when on "known wifi" networks. | clSTophEjUdRanu wrote: | I've owned nothing but "Google phones" since the Nexus 4 and | don't know what you're talking about. Do you mean smart | unlock? | | Pushing hard is pretty subjective, I don't see a "hard" push | to turn off security features. As a matter of fact I've seen | warnings about disabling the lock screen. | JakeTheAndroid wrote: | My Pixel 3 prompted me to turn off the auto-locking feature | when I was at home because it saw that I unlocked my phone | a lot in that geofenced location. It also did that at my | old job as well since the situation was pretty similar. I | would get this prompt about once a month. | | So I would agree, it's not a hard push, Google is def | nudging people towards less secure logins. My S10+ asked me | this same question about a week into owning the phone, but | it never bothered me about it again once I declined. And at | no point in either system was the I made aware of the risks | I was accepting if I enabled it. | | So, not a Google specific issue, but it's a less than ideal | approach considering how sensitive peoples phones are | today. | seiters wrote: | Not necessarily. Both Android and iOS allow voice assistants to | interact with phones for certain activities even without | unlocking the phones. Typical scenario: someone puts a phone on | the table and does something else (typing on a computer), not | paying attention to the screen. | ElijahLynn wrote: | This isn't just phones. | dylan604 wrote: | I know lots of people that have their phones set to not lock | automatically. Some of these include not locking them when they | throw the phone in their purse, or put it in their back pocket. | "I can't be bothered to type in my password every time I pick | it up" or "My kids bother me too often to unlock the phone." | It's absolutely mind boggling | iudqnolq wrote: | Password? I've never met someone else irl who sets a password | on their phone. Best I've ever seen is a PIN. | dylan604 wrote: | Nice to meet you. I have a pass phrase comprising 4 short | words (totaling 18 characters) that are easy to remember | and easy to type in. Someone is going to need the $5 wrench | to figure out how to unlock my phone. | pc86 wrote: | They obviously mean the same thing in this context. | dylan604 wrote: | Thank you. It's not like the use of the word 'password' | made the point I was making difficult to understand. I | had actually tried to use the word passcode, but it was | auto-filled/corrected to password and I didn't catch it. | iudqnolq wrote: | If you open the Android security settings you'll be asked | if you want to set a password or pin. A password is | longer and can contain arbitrary characters. I've never | heard a person refer to a short series of numbers used to | protect something as a password and not a pin. | vgb2k18 wrote: | > I've never heard a person refer to a short series of | numbers used to protect something as a password and not a | pin. | | Until today... Screenshot from Android phone - | https://ibb.co/KD27YGL | circa wrote: | I know a lot of people who say that too. Its awful. | ElijahLynn wrote: | Really great demo videos on the webpage, fwiw. | snug wrote: | Reminds me of the smarter every day video where Destin used | lightwaves against smart homes | | https://www.youtube.com/watch?v=ozIKwGt38LQ | seiters wrote: | SurfingAttack exploits ultrasonic guided wave propagating through | solid-material tables to attack voice control systems. | Interesting! ___________________________________________________________________ (page generated 2020-02-06 23:00 UTC)