Researchers have come up with a new attack strategy against smart assistants. These attacks threaten all devices featuring voice assistants. Dubbed as ‘LightCommands’, these attacks enable a potential attacker to inject voice commands to the devices and take control of them.
Researchers have developed new attacks that allow meddling with smart assistants. These attacks named ‘LightCommands’ allow injecting audio signals to voice assistants.
LightCommands attacks basically exploit a flaw in MEMS (microelectromechanical systems) that recognize light as voice commands. Thus, the researchers could easily inject voice sound into the microphones using laser light.
Moreover, the researchers also noticed the absence of robust user authentication systems in most voice assistants. Hence, a potential attacker can simply hack into the assistants and meddle with smart home systems, smart cars, and other devices.
In this way, LightCommand attacks exploit a hardware and a software issue to compromise Google Assistant, Amazon Alexa, Apple Siri, or Facebook Portal.
Conducting the attack requires no physical interaction with the target device. An attacker may use laser light from a distance of up to 110 meters and from separate buildings.
In their experiment, the researchers chose four different voice commands to assess the attack method on various speakers, phones, a tablet, a thermostat, and a camera. These devices had Google Assistant, Siri, Alexa and Facebook Portal at the backend.
Whereas the voice commands were: “what time is it”, “set the volume to zero”, “purchase a laser point”, and “open the garage door”. They generated these commands whilst appending a wake word to call the voice assistant. They then injected those commands to the devices’ microphone by aiming a laser at the microphone ports.
The researchers left all devices in their default settings and experimented in a closed environment while aiming through clear glass windows. As a result, they found all the devices vulnerable to light-based audio command injection attacks.
They have published their findings in detail as a research paper. Whereas they have also set up a website to describe LightCommands and shared a quick explanatory video.
The researchers have ensured no detection of these attacks in the wild, yet.