A team of international security researchers, which involved the University of Washington, the University of Michigan, the Chinese Academy of Sciences and the University of Nebraska-Lincoln, has identified a way to activate the voice assistants of smartphones by giving them commands with the use of ultrasound, which cannot be perceived by the human ear, thus posing the risk of attacks that can go unnoticed.
Named "SurfingAttack", the technique is based on the transmission of ultrasound through solid means such as a table top. Using a simple and inexpensive piezoelectric transducer, located below the table top, the researchers managed to spread ultrasound and activate the voice assistant by going completely unnoticed (or rather: unheard).
Using these communications that were not audible to the ear, the researchers managed to awaken the voice assistants and issue a series of commands that allowed them to make calls, take photos and read a message that contained a verification code of a two-factor authentication system. . In order to conceal the attack even more effectively, the researchers first sent a command to lower the volume level of the device.
SurfingAttack has been tested against 17 devices and has shown efficacy with most of them. Some models of iPhone, Google Pixel and Samsung Galaxy they were vulnerable to attack. Overall all digital assistants – Siri, Google Assistant and Samsung Bixby – have shown their side to this technique. The only exceptions turned out to be Huawei Mate 9 and Samsung Galaxy Note 10+, against which the attack was unsuccessful, perhaps due to the acoustic properties of the materials with which these devices are built. Non-portable devices such as Amazon Echo or Google Home home voice assistants also proved immune to attack. The technique has also shown less efficacy when a towel or tablecloth was placed on the table.
How could such a technique be exploited in the real world? The most likely scenario seems to be one in which criminals and attackers hide in advance the necessary equipment under the tables of public places such as bars, restaurants and coworking spaces to steal information or give specific commands on the phone of unwitting victims.
The effectiveness of the technique due to the non-linearity of the MEMS microphones (Micro Electro-Mechanlical System), widely used in today's devices, and which use a small diaphragm capable of detecting and interpreting frequencies that are not audible to the human ear and in some cases even electromagnetic frequencies in the visible spectrum.
