Your voice assistant can be hacked – silently

By Adam Tinworth

07/09/2017 | It turns out that our digital friends Siri, Alexa, Cortana et al have something in common with dogs: they can hear, and respond to sounds pitched higher than we can. Yes, there are now dog whistle attacks on our digital devices.

A team of Chinese researchers have discovered that all the major voice assistants out there can be silently triggered - or, at least, silently by human standards:

Using a technique called the DolphinAttack, a team from Zhejiang University translated typical vocal commands into ultrasonic frequencies that are too high for the human ear to hear, but perfectly decipherable by the microphones and software powering our always-on voice assistants. This relatively simple translation process lets them take control of gadgets with just a few words uttered in frequencies none of us can hear.

This is not, on the face of it, as terrifying a prospect as it might seem. All the voice assistants give you feedback on your actions, so you’d be able to see or hear that something is wrong. At worst, it might force your device to open a compromised website that could use an exploit to take control of your system. That’s pretty bad, but would need very careful planning.

Silently opening your house

But the potential implications of a problem like this get a lot bigger when you think of the sorts of things we might be controlling with our voice in the near future:

They could order an Amazon Echo to “open the back door.” Even an Audi Q3 could have its navigation system redirected to a new location.

Imagine triggering a smart home to open it door this way. This is a cry stuff, not least because none of the major vendors seem to have considered this an an attack vector. My guess is that the biggest ones will patch this pretty quickly, but it still shows how quickly choices we make for convenience can open us up to whole waves of vulnerabilities we’d never thought of.

When you think of “hacker” you think of someone hunched at a computer, not someone walking past you (and your phone) with a €4 speaker.