Siri and Google: Ultrasound Waves Allows Researchers to Access Phones

Although an ultrasound wave doesn't emit a sound, it can activate Siri on a cellphone and allow a hacker to use the phone to take pictures, make calls or read the messages while the phone's owner remains completely unaware.

Ultrasound waves were used by researchers at St Louis' Washington University to show how they can exploit a vulnerability in the security of cellphones.

The research demonstrated how ultrasonic waves can pass through solid surfaces and go on to activate voice recognition systems like Siri. Once the hacker has secured some relatively cheap equipment they can both communicate with the phone and hear the phone respond.

The research findings were made available at the Network and Distributed System Security Symposium that took place on 24th February in San Diego and were presented by Ning Zhang, from McKelvey School of Engineering. 

Zhang, an Assistant Professor of Computer Science and Engineering co-wrote the report and demonstrated how they could send vocal commands to cellphones that were right next to their owner. 

By using a microphone the researchers could easily communicate with the phone and control its actions.

Virtual Voice Attack

While ultrasonic waves are outside of the range of human hearing, it is easily picked up by cellphones and microphones. For a tech-savvy hacker, this means that they can gain access to the phone by tricking it into thinking you are giving it a voice command.

One of the ways the team tested the ability of ultrasound to send commands through solid surfaces was to place a phone on a table with a microphone and a PZT attached to the underside. The PZT (piezoelectric transducer) turns electricity into an ultrasound. 

The phone is sat on the topside of the table next to a hidden waveform generator which could generate the required signal to the phone.

Once the experiment had been set up the team ran some tests. The first test looked at gaining a passcode via SMS testing. To achieve this the team used a common command "read my messages". 

They also assumed that this would need two-factor authentication whereby a passcode is sent to the user's phone. This is commonly used by internet banking or other key services that require confirmation of identity.

The initial attack involved making the virtual assistant reduce the volume on the phone to level 3, the level at which an owner would not notice their phone responding if they were in a standard, moderately busy office setting. 

The next step was to send a 'message' from the bank and then send the "read my messages" command. The response was then picked up by the microphone placed on the underside of the table, but the victim was completely unaware.

The second test aimed to conduct a fraudulent telephone call and this was achieved by sending a 'call Sam with speakerphone' command, This enabled the phone to start the call and the attacker could chat with 'Sam' without the knowledge of the victim.

A Crazy-Old-Simple Solution

The research was conducted on the major brands of phones and using 17 models. These included Galaxy, Moto and iPhone. Only two of these phones proved resistant to ultrasonic waves.

The waves were tested on metal, glass and wood and different table surfaces and phone settings and were able to pass through all of them.

Despite all of the attempts by the researchers to thwart access to the phone, including changed configurations on the phone and microphone and placing objects to obstruct the ultrasonic waves the attacks were still successful even when around 30 feet away from the phone.

The use of plastic tables did enable the team to dampen the sound waves, however, it was found that mobile phone cases had very little effect. Alarmingly, one set up could simultaneously allow an attacker to access multiple devices.

These 'surfing attacks' indicate the need to pay more attention to the way our devices work. Often media interest is focused on how our technology is affecting our lifestyle or our health but the physics is often ignored and it is this that will be a key factor in stopping attacks.

One of the suggestions made by Zhang and his team is that phone software could be updated to discriminate between a real human voice and an artificially generated ultrasonic wave. Layout changes could also help, perhaps moving the microphone to dampen any potential ultrasonic attack.

However, the easiest and simplest way to stop ultrasonic waves is less technical – using a tablecloth to impede the ultrasonic waves!