Lasers can silently issue 'voice commands' to your smart speakers

https://www.engadget.com/2019/11/05/lasers-voice-commands-smart-speaker/


Lasers can silently issue 'voice commands' to your smart speakers

by Mariella Moon, engadget.com

Laser pointers can apparently trick smart speakers, phones and tablets into following voice commands to open doors or make purchases, even from hundreds of feet away. Researchers from Tokyo and the University of Michigan have revealed that they were able to take over Google Assistant, Apple Siri and Amazon Alexa devices by shining laser pointers or flashlights at their microphones. One of the researchers, Daniel Genkin, was also part of the team that discovered the Meltdown and Spectre CPU vulnerabilities.

The team has published a paper detailing the light flaw after seven months of experimentation. They were able to hijack smart speakers 230 to 350 feet away by focusing lasers using a telephoto lens. In fact, the Google Home they tricked into opening a garage door was inside a room in another building. The laser modulation they beamed at its microphone port through the window is equivalent to the voice command "OK Google, open the garage door."

They explained that there's a small plate called a diaphragm inside devices' microphones that moves when hit by sound. Lasers can replicate that movement and convert it into electric signals that the device can understand. They said opening the garage door by taking over Google Home was easy to do, and they could've easily made online purchases, opened doors protected by smart locks and even remotely unlocked cars connected to voice AI-powered devices by using the same method.

The researchers have already notified Tesla, Ford, Amazon, Apple and Google about the issue -- a move that's highly important to get the problem fixed, since simply covering microphones with tape wouldn't solve it. Most microphones, they said, would have to be redesigned. The team was able to hijack Google Home/Nest, Echo Plus/Show/Dot, Facebook Portal Mini, Fire Cube TV, EchoBee 4, iPhone XR, iPad 6th Gen, Samsung Galaxy S9 and Google Pixel 2 devices using the technique. It was much easier hijacking smart speakers from afar, though. The method only worked on the mobile devices from a maximum distance of 16 to 65 feet.

This is far from the first digital assistant vulnerability security researchers have discovered. Researchers from China's Zheijiang University found that Siri, Alexa and other voice assistants can be manipulated with commands sent in ultrasonic frequencies. Meanwhile, a group from the University of California, Berkeley found that they can take over smart speakers by embedding commands, which aren't audible to the human ear, directly into recordings of music or spoken text.



Sent from my moto g(6) using Tapatalk

 

Help me out here. I can't remember if this is true or not, and I can't remember where that setting is. I know I disabled purchase via voice on my Alexa devices. That can't be turned back on via voice assistant correct? That needs to be enabled via website or Amazon app?

Don't have any smart locks, and I think I'm all the smarter for not having them.

Feel free to turn on my lamps that have a smart plug. Soon as I see that happening, they all get pitched and I'll never go back.

 

You should be fine since you'd have to manually enable voice purchasing. If you do ever decide to enable voice purchasing, you can add a 4-digit PIN.

 

Thanks for the info Jig!

Sent from my Samsung Galaxy Note 8 using Tapatalk

 

This blew my mind until I read the NY Times article, which explained that the laser vibrated the microphone, just like sound would. Sort of a reverse laser microphone that 'reads' vibrations off window-glass, etc. Just more reasons not to have one. Every time I decide I'm going to get one, something like this comes out. I'd only put it on a light switch or something so I could de-power it at will.

 

I remember in Jr. High science class that the output from a CD player was sent through a laser beam, directed at a... I believe a solar panel which was wired to a headphone jack which was plugged into a speaker. The result was audio transmitted over laser, which is essentially what they are doing here. Just targeting the microphone vs an optical input.

Sent from my Samsung Galaxy Note 8 using Tapatalk

 

I have 4 Google Home minis in the house. I played with them to work with the home theater and thermostat, but that was all very frustrating at best. The novelty wore off pretty quickly.

Currently, the 4 minis get used to broadcast messages (e.g., "dinner is ready" or "get down here now or you're walking to school!"), look up information ("Hey, Google! List 10 pros and 10 cons for GMOs."), do math ("Hey, Google! True of False: If a function f is not defined at x = a then the limit lim f(x) as x approaches a never exists."), and execute a few other functions ("Hey, Google! Play that song I like but I can't remember the name," or "Hey, Google! Mom just confiscated my phone again. Please call Dad.").

I suppose I should be a bit more mindful of security, though. It is possible some Russian spy with direct line-of-sight across my yard, past the trees and bushes, through my window, up the stairs and down the hall to my Google Mini could use it to order something. Then again, my credit card purchases are fraud-protected. Last time I spotted unusual charges on my card (about 4 months ago), the bank refunded the charges and replaced the cards very quickly.

 

For me, it's the IoT lack of transparency and clarity. The Google Home Mini sits anywhere, connected wirelessly. It does not show you the firmware update version, the date of last update, the fact that Google shelved this product x years ago and it just staggers on with known exploits, etc (not shelved yet, but at some point all things will be). The average user will have no clue. Once a compromise is out there... it's just a matter of time. Then you've got a device within your own network, running DDOS attacks, or attacking your own infrastructure looking to steal your data. I'd love it if these things would just simply shut off at their EOL so they aren't a risk to their users. No company seems to care that much though. Out for the quick dollar, and let the users fend for themselves. I'm not paranoid, I just don't like how there are no protections built into any of these devices. The end user is left to fend for themselves. The end user likely has no clue...

My WeMo devices work pretty well, with a handful of firmware updates available since I've installed. I have to manually install the firmware. It's not done automatically. I can't deregister a device and sell it. Once it is connected to my account, it is there forever. If I want to stop using a device, I need to smash it with a hammer. If someone else gets their hands on one of my WeMo devices, they're essentially inside my network. Isn't that grand? Thankfully I can decouple WeMo from Amazon and Google and pull the physical plugs. But it shouldn't be that way.

 

I wish I could fend for myself. The early days of smart home tech weren't tied to online accounts at all. I can't quite remember the names for the protocols that were used for smart outlets and the like before google and amazon and the like got into it, but generally there was a hub and some local software to control things. It was sometimes a pain to remote in if you had a dynamic IP, but there were solutions that didn't require surveillance capitalism. I see no benefit to any smart appliance phoning home to a far off server, well, no benefit to me, just to multinational megacorps. Least of all things like door locks or garage door openers, but also not even light bulbs and speakers however harmless that might be.

I know what you're thinking, I'm an old luddite that wants google to get off my lawn. In fact, nothing could be further from the truth. If I could get a Waymower to mow my lawn for me while I chillax inside watching Battlestar Galactica, I'm all for it. Sure, that's quite a tool for skynet to err, um, mow us down with, but I'd just as soon be taken out early if skynet wakes up, before she gets really creative. Just keep the smart appliances outside, please and thank you. And no frakkin smart toasters either.

 

Yeah, the last smart toaster I had... I told a joke, it laughed, I laughed... I threw it out the window and ran.