New research shows how an attacker can use inaudible ultrasound to silently take control of phones, smart speakers, or any device with a digital assistant.
In a study first reported by BleepingComputer, researchers found you can use the technique to give devices voice commands to make phone calls, unlock doors in smart homes, disable alarms, read text messages, and more. The attack was tested on digital assistants including Alexa, Cortana, Google Assistant, and Siri.
The technique—called a Near-Ultrasound Inaudible Trojan (NUIT)—comes from a team of researchers at the University of Texas at San Antonio and the University of Colorado Colorado Springs in a presentation prepared for the USENIX Security Symposium 2023.
“NUIT is a novel inaudible attack against voice assistants (Siri, Google Assistant, Alexa, Cortana) that can be waged remotely through the internet,” the researchers write on a website describing the work. You can see the attack in action in a series of YouTube videos.
The attack takes advantage of the fact that digital assistants use microphones that can pick up sounds that are inaudible to the human ear. NUIT plays sounds in the near-ultrasound frequency range (16kHz-20kHz) to give voice commands to smart devices, some commands take less than a second to play.
The study shows you can deploy NUIT through several different means. For example, an attacker could trick you into clicking a link to a website or a YouTube video on your phone, which would then play the inaudible voice commands after a delay to control your phone. Researchers demonstrated that NUITs also work when playing from one phone which controls another, over Zoom calls, playing on a phone to control a smart speaker or other IOT device, or even embedded into files that have additional background music.
In tests, NUIT attacks successfully controlled gadgets including iPhones, Samsung Galaxy phones, and Google Home and Amazon Echo Devices.
This sort of novel attack tends to see limited action in the real world. But with the rise of AI-assisted computing, voice commands will likely become more essential to our daily lives and audio exploits will be more in demand than ever.
The researchers will present more details about the study at the USENIX Security Symposium in August.