As voice-controlled devices such as smartphones, vehicle infotainment systems, and smart speakers become increasingly popular, hackers are coming up with innovative ways of targeting them. Now, a team of researchers has shown off a method that uses ultrasonic frequencies – sounds so high that they’re inaudible to humans.
Scientists from China's Zhejiang University demonstrated the technique, which is aptly called DolphinAttack. First, they created a program that can translate human voice commands into sounds above 20kHz. These were played back using a standard smartphone equipped with an amplifier, ultrasonic transducer, and an extra battery, all of which costs less than $3.
The commands were tested on 16 devices and seven systems, including Siri, Alexa, Google Assistant, Samsung S Voice, Cortana, and the navigation system in Audi cars. The team said: "the inaudible voice commands can be correctly interpreted by the SR (speech recognition) systems on all the tested hardware."
In addition to basic commands like “Hey Siri” and “Okay Google,” the exploit can be used in more malicious ways, such as visiting malware-loaded websites or making outgoing calls to spy on victims.
Thankfully, there are limitations that mean the attack is less than perfect. At the moment, the device is ineffective beyond a range of five or six feet, and it works better in quieter environments; using ultrasonic commands that tell Siri to switch on airplane mode was 100 percent successful in an office but just 30 percent successful in a street. The other problem for hackers is that a digital assistant must be switched on, and most of them respond to commands with a tone or reply of their own, which would likely alert a user.
While altering a system so it ignores commands over a certain frequency might seem like a simple solution, industrial designer Gadi Amit told FastCompany that doing so could lower its “comprehension score,” while some devices use it for ultrasonic pairing.