‘Dolphin’ attacks fool Amazon, Google voice assistants
Voice-controlled assistants by Amazon, Apple and Google could be hijacked by ultrasonic audio commands that humans cannot hear, research suggests.
Two teams said the assistants responded to commands broadcast at high frequencies that can be heard by dolphins but are inaudible to humans.
They were able to make smartphones dial phone numbers and visit rogue websites.
Google told the BBC it was investigating the claims presented in the research.
Many smartphones feature a voice-controlled assistant that can be set up to constantly listen for a “wake word”.
Google’s assistant starts taking orders when a person says “ok Google”, while Apple’s responds to “hey Siri” and Amazon’s to “Alexa”.
Researchers in China set up a loudspeaker to broadcast voice commands that had been shifted into ultrasonic frequencies.
They said they were able to activate the voice-controlled assistant on a range of Apple and Android devices and smart home speakers from several feet away.
A US team was also able to activate the Amazon Echo smart speaker in the same way.
The US researchers said the attack worked because the target microphone processed the audio and interpreted it as human speech.
“After processing this ultrasound, the microphone’s recording… is quite similar to the normal voice,” they said.
The Chinese researchers suggested an attacker could embed hidden ultrasonic commands in online videos, or broadcast them in public while near a victim.
In tests they were able to make calls, visit websites, take photographs and activate a phone’s airplane mode.
However, the attack would not work on systems that had been trained to respond to only one person’s voice, which Google offers on its assistant.
Apple’s Siri requires a smartphone to be unlocked by the user before allowing any sensitive activity such as visiting a website.
Apple and Google both allow their “wake words” to be switched off so the assistants cannot be activated without permission.
“Although the devices are not designed to handle ultrasound, if you put something just outside the range of human hearing, the assistant can still receive it so it’s certainly possible,” said Dr Steven Murdoch, a cyber-security researcher at University College London.
“Whether it’s realistic is another question. At the moment there’s not a great deal of harm that could be caused by the attack. Smart speakers are designed not to do harmful things.
“I would expect the smart speaker vendors will be able to do something about it and ignore the higher frequencies.”
The Chinese team said smart speakers could use microphones designed to filter out sounds above 20 kilohertz to prevent the attack.
A Google spokesman said: “We take user privacy and security very seriously at Google, and we’re reviewing the claims made.”
Amazon said in a statement: “We take privacy and security very seriously at Amazon and are reviewing the paper issued by the researchers.”