Voice assistants are all the rage nowadays in the tech world, Apple has one, Google has one, Microsoft has one, Amazon has one, Samsung has one etc. They still aren’t all that useful at this stage and most people wouldn’t care if they vanished, and according to a security paper recently published, they might even be a system vulnerability.
Using a cheap hack called the Dolphin Attack (for reasons that will quickly become apparent) with $3 of equipment, security researchers were able to take control of Google Assistant, Alexa, and Cortana among others and issue inaudible voice commands which were then carried out. Now while the concept of inaudible voice commands sounds like an oxymoron, it isn’t. Voice assistants pay attention to a wide range of frequencies, including those as low as the 20khz range (humans can’t hear those), but machines can.
Keeping that in mind hack works like this, it sends voice commands at ultrasonic frequencies to the PC, this means that normal humans will be unable to hear these commands, while PCs and voice assistants will.
The researchers listed examples of actions they were able to carry out, simply by voice commands. These include:
- Visiting a malicious website. The device can open a malicious
website, which can launch a drive-by-download attack or
exploit a device with 0-day vulnerabilities.
- Spying. An adversary can make the victim device initiate
outgoing video/phone calls, therefore getting access to the
image/sound of device surroundings.
- Injecting fake information. An adversary may instruct the victim
device to send fake text messages and emails, to publish
fake online posts, to add fake events to a calendar, etc.
- Denial of service. An adversary may inject commands to turn
on the airplane mode, disconnecting all wireless communications.
- Concealing attacks. The screen display and voice feedback
may expose the attacks. The adversary may decrease the
odds by dimming the screen and lowering the volume.
Microsoft has expanded the power of Cortana to include system functionality like shutting down the computer, restarting or even locking it, and Cortana’s base functionality allows it to launch programs without confirmation. You can also use Cortana to call While you probably won’t be able to do that much damage using Cortana alone on the average Windows PC, it is still a security oversight that is alarmingly easy to circumvent, especially with voice assistants in our phones, computers, and home appliances.
We’ve reached out to Microsoft for comment, and will update this article should they reply.