This article is more than 1 year old

Hey Siri, use this ultrasound attack to disarm a smart-home system

We speak to the boffins behind latest trick to fool Google Assistant, Cortana, Alexa

Academics in the US have developed an attack dubbed NUIT, for Near-Ultrasound Inaudible Trojan, that exploits vulnerabilities in smart device microphones and voice assistants to silently and remotely access smart phones and home devices.

The research team — Guenevere Chen, an associate professor at the University of Texas at San Antonio, her doctoral student Qi Xia, and Shouhuai Xu, a professor at the University of Colorado Colorado Springs — found Apple's Siri, Google's Assistant, Microsoft's Cortana, and Amazon's Alexa are all vulnerable to NUIT attacks, albeit to different degrees.

In other words, millions of devices, from phones and laptops to speakers, lights, garage door openers and front door locks, could be remotely hijacked, using carefully crafted near-ultrasonic sounds, and forced to make unwanted phone calls and money transfers, disable alarm systems, or unlock doors.

It involves techniques of the kind we've previously reported on over the years, as readers may recall.

In an interview with The Register this month, Chen and Xia demonstrated two separate NUIT attacks: NUIT-1, which emits sounds to exploit a victim's smart speaker to attack the same victim's microphone and voice assistant on the same device, and NUIT-2, which exploits a victim's speaker to attack the same victim's microphone and voice assistant on a different device. Ideally, for the attacker, these sounds should be inaudible to humans.

End-to-end silent attacks

The attacks work by modulating voice commands into near-ultrasound inaudible signals so that humans can't hear them but the voice assistant will still respond to them. These signals are then embedded into a carrier, such as an app or YouTube video. When a vulnerable device picks up the carrier, it ends up obeying the hidden embedded commands.

Attackers can use social engineering to trick the victim into playing the sound clip, Xia explained. "And once the victim plays this clip, voluntarily or involuntarily, the attacker can manipulate your Siri to do something, for example, open your door."

"The first challenge was can we make it end-to-end silent, so no one can hear it," Chen said. 

For NUIT-1 attacks, using Siri, the answer is yes. The boffins found they could control an iPhone's volume so that a silent instruction to Siri generates an inaudible response.

The other three voice assistants – Google's, Cortana, and Alexa – are still susceptible to the attacks, but for NUIT-1, the technique can't silence devices' response so the victim may notice shenanigans are afoot.

It's also worth noting that the length of malicious commands must be below 77 milliseconds — that's the average reaction time for the four voice assistants across multiple devices. 

A sample of an attack that uses two action commands and fits into the 77-millisecond window first uses the instruction "speak six percent," which lowers Siri's response volume to six percent, making it inaudible to humans and achieving end-to-end noticeability. The second instruction - "open the door" - is the attack payload that uses Siri's voice to open the victim's door, assuming it's connected to home automation systems driven by Siri .

Using one device's speaker to attack another device's microphone

In a NUIT-2 attack, the attacker exploits the speaker on one device to attack the microphone and associated voice assistant of a second device. These attacks aren't limited by the 77-millisecond window and thus give the attacker a broader range of possible action commands. 

An attacker could use this scenario during Zooms meeting, for example: if an attendee unmutes themself, and their phone is placed next to their computer, an attacker could use an embedded attack signal to attack that attendees phone. 

(Editor's note: Chen and Xia both said they did not hack your humble vulture's phone during our Zoom interview.)

Of the 17 devices tested, NUIT-1 and NUIT-2 attacks succeeded against  iPhone X, XR and 8 with end-to-end unnoticeability. NUIT-1 attacks succeeded against the 2021 MacBook Pro and 2017 MacBook Air, plus Samsung's Galaxy S8, S9 and A10e. Amazon's first-generation Echo Dot also fell victim to inaudible attack signals, but survived a silent response attack. NUIT-2 attacks against those same devices did succeed without any sound.

Dell Inspiron 15 devices could be successfully attacked with both methods, however, with inaudible attack signals but not silent response.

The remaining devices — Apple Watch 3, Google Pixel 3, Galaxy Tab S4, LG Think Q V35, Google Home 1, Google Home 1 — were not vulnerable to NUIT-1, but could be attacked using NUIT-2.

Hardware design fail

And finally, iPhone 6 Plus wasn't vulnerable to either attack, likely because it uses a low-gain amplifier while more recent iPhones tested use a high-gain amplifier.

The researchers did find that some devices are not vulnerable to NUIT-1 attacks because either the distance between the device's speaker and microphone is too great.

In part, this highlights a design flaw with smartphones where the speaker and microphone are located next to each other, Chen said. "This is a hardware design problem, not a software problem," she added.

It also indicates how to avoid being the victim of a NUIT attack: use earphones instead of speakers, because the sound from the earphones is too quiet and distant to transmit to the microphone and thus activate the voice assistant. You should also pay attention to what your smart assistant is doing, and consider enabling authentication-by-voice if possible to protect against unauthorized usage.

Additionally, manufacturers could develop NUIT-detecting tools that recognize embedded near-ultrasound frequency signals and reject those action commands as malicious.

Chen, Xia and Xu will demonstrate the NUIT attacks at the USENIX Security Symposium in August, and for those of you looking for more details, their research will also be published at that time. ®

More about


Send us news

Other stories you might like