How is it possible?
The hackers have discovered a way to remotely and silently transmitting radio commands to the voice control systems implemented by both Apple and Google, the Apple’s Siri and Android’s Google Now.
The hack works only if the targeted device has the headphones plugged into its jack, under these conditions the attack works without even speaking a word.
“The possibility of inducing parasitic signals on the audio front-end of voice-command-capable devices could raise critical security impacts,” the two French researchers, José Lopes Esteves and Chaouki Kasmi, explained in a paper published by the IEEE.
The hack utilizes:
The transmitter is used by hackers to send radio waves that are able to trigger voice commands on any iPhone or Android device with a pair of microphone-enabled headphones plugged in.
The cables of the headphones work as radio antennas, in this way the mobile device that receive radio waves believes that the voice commands are coming from the user’s microphone.
The researchers presented their discovery this summer at the Hack in Paris conference.
The researchers from the ANSSI demonstrated that exploiting this technique the attackers are able to make calls, send SMS, dial the attacker’s number so he can eavesdrop conversations from the surrounding environment, visit website managed by attackers that host an exploit kit, send phishing and spam messages exploiting the email or the victim’s social media accounts (i.e. Facebook, Twitter).
“The sky is the limit here. Everything you can do through the voice interface you can do remotely and discreetly through electromagnetic waves.” Vincent Strubel, the director of the research group at ANSSI explained to Wired. “You could imagine a bar or an airport where there are lots of people,” “Sending out some electromagnetic waves could cause many smartphones to call a paid number and generate cash.”
For the success of the attack hack it is necessary that the headphone is connected to the mobile device and the voice assistant Siri have to be enabled from the lockscreen, that is the Apple’s Default setting.
The French duo used as a generator of electromagnetic waves their laptop running the open-source software GNU Radio, a USRP software-defined radio, an amplifier, and an antenna. The researchers explained that their basic equipment could fit inside a backpack and can reach a range of around six and a half feet. In a more powerful configuration composed of larger batteries that could fit inside a van, the researchers say they could extend the attack’s range to more than 16 feet.
The two experts also published a Video Proof of Concept for the attack, they demonstrated how send a command to Google Now via radio on an Android smartphone instructing the mobile device to launch the browser to visit the ANSSI official website.
What about old devices?
The latest versions of iOS implement the hands-free feature that allows iPhone owners to send voice commands by saying “Hey Siri.”
The researchers Kasmi and Esteves explained that their attack works also on older iOS versions. The iPhone headphones have long had a button on their cord that allows the user to enable Siri with a long press. The experts explained that by reverse engineering and spoofing the electrical signal of that button press, they were able to emulate the user interaction and trigger Siri from the lockscreen.
“It’s not mandatory to have an always-on voice interface,” says Kasmi. “It doesn’t make the phone more vulnerable, it just makes the attack less complex.” they explained
The French researchers already reported the attack to both Apple and Google.
(Security Affairs – mobile phone, hacking)