[HN Gopher] SurfingAttack: attack on voice assistants using ultr...
___________________________________________________________________
SurfingAttack: attack on voice assistants using ultrasonic guided
wave
Author : seiters
Score : 125 points
Date : 2020-02-06 14:41 UTC (8 hours ago)
(HTM) web link (surfingattack.github.io)
(TXT) w3m dump (surfingattack.github.io)
| [deleted]
| emptybits wrote:
| Disable your locked phone from always listening for "OK Google"
| or "Hey Siri". Protected, no? Their list of five ways to "defend
| against SurfingAttack" doesn't include this obvious one. i.e. If
| you want to give a voice command, pick up your phone and press a
| button to speak. Protected and still pretty darn convenient IMO.
|
| Otherwise, great project and succinct video proof of how clever
| conveniences often conflict with security.
| seiters wrote:
| Thanks for the comment. This defense works: but you have to
| remember to lock your phone when you put it down.
| rvz wrote:
| Absolutely this. This is exactly the same advice I gave earlier
| to defend against this SurfingAttack and yet somehow I was
| downvoted for no reason. Oh dear...
| rvz wrote:
| Well this is why you disable the "Ok Google" / "Hey Google"
| hotword or "Listen for Hey Siri" or always listening features and
| congrats you are immune to this attack. Job done for your phones.
|
| Perhaps a more interesting experiment would be to try this on
| Alexa, HomePods and Google Home devices.
| Animats wrote:
| Coming soon to a Starbucks near you.
| trhway wrote:
| It worked well at the Cuban embassy
| https://spectrum.ieee.org/semiconductors/devices/how-we-reve...
| ElijahLynn wrote:
| Was thinking about this the other day, when I heard the assistant
| trigger when there was _zero_ sound to prompt it. And was
| thinking of an attack where someone can literrally trigger a
| listen from outside your house. Especially dangerous because the
| default on a new Google Home (max hub nest truck whatever they
| call it) is to not have an audible prompt on a trigger.
|
| So an attacker can literally just listen in with a press of a
| button. Probably gonna have to turn off this feature altogether
| for the immediate future.
| jmole wrote:
| How exactly are they going to listen in? Are they on the other
| end of the line?
| nateferrero wrote:
| If they can get it to listen, they can theoretically have it
| dial a number
| squarefoot wrote:
| Or call for a fake SWAT raid to the same house, so that the
| owner is either being shot or imprisoned. If that can
| really be triggered from distance without breaking in, it
| would make it the perfect revenge weapon.
| sirbranedamuj wrote:
| The default _used to be_ to have the sound chime. Then the
| default changed and it stopped doing it one day. I turned it
| back on and I'm glad I did - it has so many phantom activations
| that it's made me even more wary about having them in my house
| to begin with.
| up6w6 wrote:
| There is another very similar attack that uses laser beans
| instead of sound waves but this looks less efficient because of
| the distance limitation.
|
| https://news.ycombinator.com/item?id=21453554
| rickdeckard wrote:
| There's also the big difficulty to harvest laser beans...
|
| But seriously, I wouldn't say this one is less efficient, both
| attacks are quite different in scope. The laser-based attack
| requires line-of-sight to the device and apparently works only
| on stationary home-assistants (i.e. your Google Home), while
| this ultrasonic method explicitly targets Smartphones and has
| potential for wide unfocused attacks at public spaces (i.e. by
| rigging a table in a coffee-shop).
| hansschouten wrote:
| Interesting attack. Reminds me of the DolphinAttack
| (https://arxiv.org/abs/1708.09537)
| anfractuosity wrote:
| Also there's the 'Audio Hotspot Attack' -
| https://ieeexplore.ieee.org/document/8906174
|
| Which uses a parametric speaker, which uses a number of
| ultrasonic transducers which "emit amplitude-modulated
| ultrasounds that will be self-demodulated in the air"
| Jernik wrote:
| This requires the phone to be unlocked to do most of this,
| doesn't it? What is the attack vector here, someone leaving their
| phone unlocked on a table and not paying attention to the screen?
| arianvanp wrote:
| Google phones push you hard in their UI wizards to enable auto-
| unlock when on "known wifi" networks.
| clSTophEjUdRanu wrote:
| I've owned nothing but "Google phones" since the Nexus 4 and
| don't know what you're talking about. Do you mean smart
| unlock?
|
| Pushing hard is pretty subjective, I don't see a "hard" push
| to turn off security features. As a matter of fact I've seen
| warnings about disabling the lock screen.
| JakeTheAndroid wrote:
| My Pixel 3 prompted me to turn off the auto-locking feature
| when I was at home because it saw that I unlocked my phone
| a lot in that geofenced location. It also did that at my
| old job as well since the situation was pretty similar. I
| would get this prompt about once a month.
|
| So I would agree, it's not a hard push, Google is def
| nudging people towards less secure logins. My S10+ asked me
| this same question about a week into owning the phone, but
| it never bothered me about it again once I declined. And at
| no point in either system was the I made aware of the risks
| I was accepting if I enabled it.
|
| So, not a Google specific issue, but it's a less than ideal
| approach considering how sensitive peoples phones are
| today.
| seiters wrote:
| Not necessarily. Both Android and iOS allow voice assistants to
| interact with phones for certain activities even without
| unlocking the phones. Typical scenario: someone puts a phone on
| the table and does something else (typing on a computer), not
| paying attention to the screen.
| ElijahLynn wrote:
| This isn't just phones.
| dylan604 wrote:
| I know lots of people that have their phones set to not lock
| automatically. Some of these include not locking them when they
| throw the phone in their purse, or put it in their back pocket.
| "I can't be bothered to type in my password every time I pick
| it up" or "My kids bother me too often to unlock the phone."
| It's absolutely mind boggling
| iudqnolq wrote:
| Password? I've never met someone else irl who sets a password
| on their phone. Best I've ever seen is a PIN.
| dylan604 wrote:
| Nice to meet you. I have a pass phrase comprising 4 short
| words (totaling 18 characters) that are easy to remember
| and easy to type in. Someone is going to need the $5 wrench
| to figure out how to unlock my phone.
| pc86 wrote:
| They obviously mean the same thing in this context.
| dylan604 wrote:
| Thank you. It's not like the use of the word 'password'
| made the point I was making difficult to understand. I
| had actually tried to use the word passcode, but it was
| auto-filled/corrected to password and I didn't catch it.
| iudqnolq wrote:
| If you open the Android security settings you'll be asked
| if you want to set a password or pin. A password is
| longer and can contain arbitrary characters. I've never
| heard a person refer to a short series of numbers used to
| protect something as a password and not a pin.
| vgb2k18 wrote:
| > I've never heard a person refer to a short series of
| numbers used to protect something as a password and not a
| pin.
|
| Until today... Screenshot from Android phone -
| https://ibb.co/KD27YGL
| circa wrote:
| I know a lot of people who say that too. Its awful.
| ElijahLynn wrote:
| Really great demo videos on the webpage, fwiw.
| snug wrote:
| Reminds me of the smarter every day video where Destin used
| lightwaves against smart homes
|
| https://www.youtube.com/watch?v=ozIKwGt38LQ
| seiters wrote:
| SurfingAttack exploits ultrasonic guided wave propagating through
| solid-material tables to attack voice control systems.
| Interesting!
___________________________________________________________________
(page generated 2020-02-06 23:00 UTC)