Tuesday, 31 January 2023 20:05

Security flaw allows control of voice assistants from Google, Apple or Amazon

The researchers who discovered this flaw call it the "dolphin technique": a simple and cheap method that allows you to pass commands to all the voice assistants on the market without the owner's knowledge. It allows, for example, to ask Siri, Apple's assistant, to make a phone call; to ask Alexa to make an order on Amazon; and even to give a new destination to an in-car navigation system.

Why the dolphin? Simply because the technique is based on the use of sound frequencies inaudible to humans, such as those used by these marine mammals to communicate - they are perfectly perceived by the microphones of voice assistants. The technique therefore simply allows to "pronounce" inaudibly commands to activate, for example, Amazon's Alexa assistant, before asking it to place an order. The instructions are given in the upper 20 kHz band, which is inaudible to most humans - especially adults.

The process does not require expensive hardware either: a few components costing a few euros are enough to emit these infrasounds, note the researchers from Zhejiang University (China) who made the discovery (PDF), whose study has been made public but has not yet been published in a peer-reviewed journal.

Possible correction

According to the authors, it is possible to correct it, either by improving the microphones used by the various devices equipped with an assistant so that they filter the sounds located in the band of more than 20 kHz, or by entrusting the software of these assistants with the task of detecting the "atypical" commands. But correcting the problem would also require changes in the way these devices work, as they use frequencies above 20 kHz for their own purposes, especially to synchronize devices by transmitting signals that are inaudible to the human ear.

However, the flaw is far from being anecdotal: if taking control of an assistant such as Google Home offers only limited possibilities, these voice assistants are also widely used on smartphones, and also exist on computers - recent versions of Windows integrate Cortana, the voice assistant from Microsoft. The technique can for example be used to make the phone or computer open a web page containing malware, and potentially offers an attack channel that does not require physical access to the phone or computer.


Rate this item
(0 votes)
Last modified on Friday, 02 December 2022 11:40

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.

No Internet Connection