Voice assistants help you with daily tasks – whether it’s making an appointment with a client to play music and more. The voice assistant market is full of options: Google, Siri, Alexa and Bixby. These assistants are activated using voice commands and get things done. For example, you can ask Alexa to play certain songs of your choice. These devices can be hacked and used against the owner of the device. Today we are going to find out Surf attacks using ultrasonic waves and the potential problems it poses.
What is a surf attack?
Smart devices are equipped with voice assistants such as Google Home Assistant, Amazon Alexa, Apple Siri and some less popular voice assistants. I couldn’t find any definition anywhere on the Internet, so I define it as follows:
“Surf attacks refer to the hijacking of voice assistants using inaudible sounds such as ultrasonic waves, with the intention of gaining access to data from device owners without the owner’s knowledge.”
You may already know that human ears can only hear sounds between a frequency range (20 Hz to 20 KHz. If someone sends audio signals that are outside the audio spectrum of human ears, the no one can hear them, same thing with ultrasound, the frequency is beyond the perception of human ears.
The bad guys have started using ultrasonic waves to hijack devices such as smartphones and smart homes, which use voice commands. These voice commands at the frequency of ultrasonic waves are beyond human perception. This allows hackers to get the information they want (which is stored in voice-activated smart devices), with the help of audio assistants. They use inaudible sounds for this purpose.
For surfing attacks, hackers do not need to be in the field of vision of the smart device to control it using voice assistants. For example, if an iPhone is placed on the table, people assume that the voice can move through the air, so if the voice command comes from the air, they may notice hackers. But this is not the case because voice waves only need a conductor to propagate.
Be aware that solid artifacts can also help the voice to propagate as long as they can vibrate. A wooden table can still pass vocal waves through the wood. These are the ultrasonic waves used as commands to obtain illicit results on the smartphones of target users or other smart devices that use voice assistants such as Google Home or Alexa.
Lily: What is a password spray attack?
How do surf attacks work?
Use inaudible ultrasonic waves that can pass through the surface where the machines are kept. For example, if the phone is on a wooden table, all you need to do is attach a machine to the table that can send ultrasonic waves for a surf attack.
In fact, a device is attached to the victim’s table or the surface on which he or she uses to place the voice assistant. This device first decreases the volume of intelligent assistants so that victims do not suspect anything. The order comes via the device attached to the table and the response to the order is also collected by the same machine or something else which may be at a remote location.
For example, a command can be given saying: “Alexa, please read the SMS I just received”. This command is inaudible to people present in the room. Alexa reads the SMS containing OTP (one-time password) in an extremely low voice. This response is again captured by the hacking device and sent where the hackers want it.
Such attacks are called Surfing Attacks. I tried to remove all of the technical words from the article so that even a non-tech can understand this problem. For an advanced reading, here a link to a research document that explains it better.
Read more: What are the attacks of Living Off The Land?