Save up to $1,100 on Galaxy S24 Ultra!
Amazon Black Friday is here
The Amazon Black Friday deals are here early, enjoy the best discounts of the year now.
00 days
00 hrs
00 mins

Google Assistant, Siri, Alexa and other digital helpers have a dangerous vulnerability (Videos)

By
4comments
Google News Follow
Follow us on Google News
Apple Google Amazon
Video Thumbnail


We know that Amazon, Google, and Apple transcribe requests and questions asked of Alexa, Google Assistant, and Siri respectively. The companies say that this is done to improve these AI based helpers. If you think that this is the only privacy issue that you'll face with the virtual digital assistant on your phone, tablet or speaker, guess again. A paper published yesterday discusses the use of laser attacks on virtual assistants that can "inject" them with commands that cannot be heard or seen. The attack has been given the name "Light Commands" and is a vulnerability found on the small, high-quality MEMS (microelectro-mechanical systems) microphones that are used on speakers, phones and tablets. The reason this hack works is because the laser can be manipulated to trick the microphones inside a device into believing that it is receiving audio commands. In other words, the bad actor is essentially hijacking the voice assistant.

Perhaps the scariest thing about this attack is that it can be done through glass and from another building as far away as 360 feet. There must be a line of sight for the attack to work and the laser beam must hit a certain part of the microphone. But when this attack is successful, it could allow a hacker to control smart home appliances and smart garage doors, make online purchases, unlock and start certain vehicles from a distance, and open smart locks by using the brute force method to discover a PIN number. A brute force attack allows the hacker to make a large number of attempts using every possible combination to discover the PIN code used on a device.

A Light Commands attack can lead to unauthorized on-line purchases"


Putting together a Light Commands system is not expensive. All it takes is a laser pointer, a laser driver and a sound amplifier. A telephoto lens can be used for long-distance attacks. Altogether, such a setup could cost less than $581 with most of these items available from Amazon.

The report lists several devices that are susceptible to Light Commands and points out that "While we do not claim that our list of tested devices is exhaustive, we do argue that it does provide some intuition about the vulnerability of popular voice recognition systems to Light Commands." The devices listed include:

  • Google Home (Google Assistant)
  • Google Home mini (Google Assistant)
  • Google NEST Cam IQ (Google Assistant)
  • Echo Plus 1st Generation (Alexa)
  • Echo Plus 2nd Generation (Alexa)
  • Echo Amazon (Alexa)
  • Echo Dot 2nd Generation (Alexa)
  • Echo Dot 3rd Generation (Alexa)
  • Echo Show 5 (Alexa)
  • Echo Spot (Alexa)
  • Facebook Portal Mini (Alexa)
  • Fire Cube TV (Alexa)
  • EchoBee 4 (Alexa)
  • iPhone XR (Siri)
  • iPad 6th Gen (Siri)
  • Samsung Galaxy S9 (Google Assistant)
  • Google Pixel 2 (Google Assistant)
The report notes that speaker recognition is usually disabled by default for smart speakers, but is enabled by default on handsets and tablets. But this security system only uses the recognition system to determine if the assistant's hotword ("Ok, Google," "Hey Siri," "Alexa") was spoken by the owner of the device. One the assistant is activated, the Light Commands can send out a fake request. And as the report points out, "speaker recognition for wake-up words is often weak and can be sometimes bypassed by an attacker using online text-to-speech synthesis tools for imitating the owner's voice."

Recommended Stories
Setting up a cross-building Light Commands attack - Google Assistant, Siri, Alexa and other digital helpers have a dangerous vulnerability (Videos)
Setting up a cross-building Light Commands attack

While those with a device under a Light Commands attack won't hear anything alerting them that something suspicious is happening, a user might be able to detect the light from the laser reflecting off of the target device. And while the report does point out how this vulnerability could be exploited, it does note that there are no indications that such an attack has been used in the wild. Just to make sure, it might be a good idea to make sure that your smart speaker isn't placed near a window that would give an attacker the clear line of sight needed to launch such an attack.

https://m-cdn.phonearena.com/images/users/39-200/Alan-F.jpg
Alan Friedman Mobile Tech News Journalist
Alan, an ardent smartphone enthusiast and a veteran writer at PhoneArena since 2009, has witnessed and chronicled the transformative years of mobile technology. Owning iconic phones from the original iPhone to the iPhone 15 Pro Max, he has seen smartphones evolve into a global phenomenon. Beyond smartphones, Alan has covered the emergence of tablets, smartwatches, and smart speakers.

Recommended Stories

Loading Comments...

Popular stories

Time has come to say goodbye to T-Mobile app after 12 years
Time has come to say goodbye to T-Mobile app after 12 years
T-Mobile introduces welcome change for iPhone users
T-Mobile introduces welcome change for iPhone users
AT&T wants to shut down a network with only 52 users (UPDATE: AT&T responds)
AT&T wants to shut down a network with only 52 users (UPDATE: AT&T responds)
People are hearing voices coming from their iPhone
People are hearing voices coming from their iPhone
This better not be happening: YouTube Premium users are seeing ads
This better not be happening: YouTube Premium users are seeing ads
Best Buy is now selling the 512GB OnePlus 12 flagship at its killer Black Friday price
Best Buy is now selling the 512GB OnePlus 12 flagship at its killer Black Friday price

Latest News

Amazon slashes the 512GB Galaxy S24 Ultra by $350 for Black Friday, making it a can't-miss offer
Amazon slashes the 512GB Galaxy S24 Ultra by $350 for Black Friday, making it a can't-miss offer
Surprise Amazon Black Friday deal slashes more than $250 off the cheapest Pixel 9 model
Surprise Amazon Black Friday deal slashes more than $250 off the cheapest Pixel 9 model
Sizzling hot Black Friday 2024 deal makes Apple's 2022 iPad cheaper than ever before
Sizzling hot Black Friday 2024 deal makes Apple's 2022 iPad cheaper than ever before
Oppo Find X8 Series goes global with new Hasselblad camera system, ColorOS 15
Oppo Find X8 Series goes global with new Hasselblad camera system, ColorOS 15
T-Mobile proves its mettle against Verizon and AT&T by doing for customers what rivals were unable to
T-Mobile proves its mettle against Verizon and AT&T by doing for customers what rivals were unable to
Apple releases iPhone and iPad security updates you should install ASAP
Apple releases iPhone and iPad security updates you should install ASAP
FCC OKs Cingular\'s purchase of AT&T Wireless