Researchers at the University of Michigan and Japan’s University of Electro-Communications have revealed how they could control smart speakers and other gadgets by simply pointing a laser at them, which was injected with a voice command. The techniques used by the researchers reveal new ways of exploiting security vulnerabilities in these systems, reported CNN. The paper which shows how the researchers managed to ‘hack’ these devices with light commands is also available online here.
Usually one has to talk to a voice assistant to carry out the command. But these researchers determined they can also command them by shining a laser at smart speakers and other gadgets. Amazon’s Alexa, Apple’s Siri and Google’s Assistant were also found vulnerable to this technique.
The list of devices, which the researchers were able to exploit with their laser technique included Google Home, Google Nest Cam IQ, Amazon Echo, Echo Dot and Echo Show devices, Facebook’s Portal Mini, the iPhone XR and iPad 6th gen. While Google said it was reviewing the research, Amazon and Apple have not commented on the issue, reported CNN.
So how did the researchers manage to control these devices with just a laser?
In the paper, the researchers note, that these “new class of signal injection attacks on microphones” are “based on the photoacoustic effect” where they convert light to sound by exploiting the microphone in these devices. Most smart speakers, and other smart devices have a microphone so that they can hear the user’s command.
In this scenario, the researchers showed how “an attacker can inject arbitrary audio signals to the target microphone by aiming an amplitude-modulated light at the microphone’s aperture.” The researchers were able to control the devices full at at distances up to 110 meters and from two separate buildings, notes the paper.
Further they were able to get the devices to carry out tasks like open smartlock protected front door, garage doors, shop on e-commerce sites, and even locate and start vehicles like Tesla and Ford, which were connected to the target’s Google account.
The attack reveals that anyone outside the house could ‘hack’ into these devices and carry out commands which the user would not have given. The sound of each command was encoded in the light beam and once it hit the microphone, the latter would vibrate as though someone had spoken the command and carry out the task.
“If you have a laser that can shine through windows and across long distances — without even alerting anyone in the house that you’re hitting the smart speaker — there’s a big threat in being able to do things a smart speaker can do without permission of the owner,” said Benjamin Cyr, a graduate student at the University of Michigan and a paper coauthor, according to the report.
📣 The Indian Express is now on Telegram. Click here to join our channel (@indianexpress) and stay updated with the latest headlines