Dolphins inspire ultrasonic attacks that pwn smartphones, cars and digital assistants

Flipper heck!


Voice control is all the rage these days, but a team of Chinese researchers has come up with a way to subvert such systems by taking a trick from the natural world.

Apps like Google Assistant and Siri are set to always be listening and ready for action, but shouting into someone else's phone is hardly subtle. So the team from Zhejiang University decided to take a standard voice command, convert it into the ultrasonic range so humans can't hear it, and see if the device could.

The method [PDF], dubbed DolphinAttack, takes advantage of the fact that puny human ears can't hear sounds well above 20kHz. So the team added an amplifier, ultrasonic transducer and battery to a regular smartphone (total cost in parts around $3) and used it to send ultrasonic commands to voice-activated systems.

DolphinAttack

Very little kit can have a big effect

"By leveraging the nonlinearity of the microphone circuits, the modulated low-frequency audio commands can be successfully demodulated, recovered, and more importantly interpreted by the speech recognition systems," they said.

"We validate DolphinAttack on popular speech recognition systems, including Siri, Google Now, Samsung S Voice, Huawei HiVoice, Cortana and Alexa." The in-car navigation system in Audi cars was also vulnerable in this way.

Because voice control has lots of possible functions, the team was able to order an iPhone to dial a specific number – which is handy but not that useful as an attack. But they could also instruct a device to visit a specific website – which could be loaded up with malware – dim the screen and volume to hide the assault, or just take the device offline by putting it in airplane mode.

The biggest brake on the attack isn't down to the voice command software itself, but the audio capabilities of the device. Many smartphones now have multiple microphones, which makes an assault much more effective.

As for range, the furthest distance the team managed to make the attack work at was 170cm (5.5ft), which is certainly practical. Typically the signal was sent out at between 25 and 39kHz.

The full research will be presented at the ACM Conference on Computer and Communications Security next month in Dallas, Texas. ®


Other stories you might like

  • Moscow court fines Pinterest, Airbnb, Twitch, UPS for not storing data locally
    Data sovereignty is more important than Ukrainian sovereignty

    A Moscow court has fined Airbnb, Twitch, UPS, and Pinterest for not storing Russian user data locally, according to Russian regulator Roskomnadzor.

    The decision was handed down by the Tagansky District Court of Moscow after the four foreign companies allegedly did not provide documents confirming that the storage and processing of Russian personal data was conducted entirely in the country.

    Twitch, Pinterest and Airbnb were fined approximately $38,500 while UPS received a fine of roughly $19,200.

    Continue reading
  • Israel plans ‘Cyber-Dome’ to defeat digital attacks from Iran and others
    Already has 'Iron Dome' – does it need another hero?

    The new head of Israel's National Cyber Directorate (INCD) has announced the nation intends to build a "Cyber-Dome" – a national defense system to fend off digital attacks.

    Gaby Portnoy, director general of INCD, revealed plans for Cyber-Dome on Tuesday, delivering his first public speech since his appointment to the role in February. Portnoy is a 31-year veteran of the Israeli Defense Forces, which he exited as a brigadier general after also serving as head of operations for the Intelligence Corps, and leading visual intelligence team Unit 9900.

    "The Cyber-Dome will elevate national cyber security by implementing new mechanisms in the national cyber perimeter, reducing the harm from cyber attacks at scale," Portnoy told a conference in Tel Aviv. "The Cyber-Dome will also provide tools and services to elevate the protection of the national assets as a whole. The Dome is a new big data, AI, overall approach to proactive defense. It will synchronize nation-level real-time detection, analysis, and mitigation of threats."

    Continue reading
  • Intel to sell Massachusetts R&D site, once home to its only New England fab
    End of another era as former DEC facility faces demolition

    As Intel gets ready to build fabs in Arizona and Ohio, the x86 giant is planning to offload a 149-acre historic research and development site in Massachusetts that was once home to the company's only chip manufacturing plant in New England.

    An Intel spokesperson confirmed on Wednesday to The Register it plans to sell the property. The company expects to transfer the site to a new owner, a real-estate developer, next summer, whereupon it'll be torn down completely.

    The site is located at 75 Reed Rd in Hudson, Massachusetts, between Boston and Worcester. It has been home to more than 800 R&D employees, according to Intel. The spokesperson told us the US giant will move its Hudson employees to a facility it's leasing in Harvard, Massachusetts, about 13 miles away.

    Continue reading
  • Start using Modern Auth now for Exchange Online
    Before Microsoft shutters basic logins in a few months

    The US government is pushing federal agencies and private corporations to adopt the Modern Authentication method in Exchange Online before Microsoft starts shutting down Basic Authentication from the first day of October.

    In an advisory [PDF] this week, Uncle Sam's Cybersecurity and Infrastructure Security Agency (CISA) noted that while federal executive civilian branch (FCEB) agencies – which includes such organizations as the Federal Communications Commission, Federal Trade Commission, and such departments as Homeland Security, Justice, Treasury, and State – are required to make the change, all organizations should make the switch from Basic Authentication.

    "Federal agencies should determine their use of Basic Auth and migrate users and applications to Modern Auth," CISA wrote. "After completing the migration to Modern Auth, agencies should block Basic Auth."

    Continue reading
  • Arrogant, subtle, entitled: 'Toxic' open source GitHub discussions examined
    Developer interactions sometimes contain their own kind of poison

    Analysis Toxic discussions on open-source GitHub projects tend to involve entitlement, subtle insults, and arrogance, according to an academic study. That contrasts with the toxic behavior – typically bad language, hate speech, and harassment – found on other corners of the web.

    Whether that seems obvious or not, it's an interesting point to consider because, for one thing, it means technical and non-technical methods to detect and curb toxic behavior on one part of the internet may not therefore work well on GitHub, and if you're involved in communities on the code-hosting giant, you may find this research useful in combating trolls and unacceptable conduct.

    It may also mean systems intended to automatically detect and report toxicity in open-source projects, or at least ones on GitHub, may need to be developed specifically for that task due to their unique nature.

    Continue reading
  • Intel’s CEO shouldn’t be surprised America can’t get CHIPS Act together
    Silicon supremo warns he could prioritize expansion in Europe if Congress doesn’t approve subsidies

    Comment How serious is Intel about delaying the build-out of its planned $20 billion mega-fab site in Ohio?

    It turns out very serious, as Intel CEO Pat Gelsinger made clear on Tuesday, less than a week after his x86 giant delayed the groundbreaking ceremony for the Ohio site to show its displeasure over Congress' inability to pass $52 billion in subsidies to fund American semiconductor manufacturing.

    In comments at the Aspen Ideas Festival yesterday, Gelsinger warned Intel would prioritize building factories in Europe over the US if Congress fails to act on the long-stalled chip subsidies bill.

    Continue reading
  • 'Prolific' NetWalker extortionist pleads guilty to ransomware charges
    Canadian stole $21.5m from dozens of companies worldwide

    A former Canadian government employee has pleaded guilty in a US court to several charges related to his involvement with the NetWalker ransomware gang.

    On Tuesday, 34-year-old Sebastien Vachon-Desjardins admitted he conspired to commit computer and wire fraud, intentionally damaged a protected computer, and transmitted a demand in relation to damaging a protected computer. 

    He will also forfeit $21.5 million and 21 laptops, mobile phones, gaming consoles, and other devices, according to his plea agreement [PDF], which described Vachon-Desjardins as "one of the most prolific NetWalker Ransomware affiliates" responsible for extorting said millions of dollars from dozens of companies worldwide.

    Continue reading

Biting the hand that feeds IT © 1998–2022