Speech recognition systems like Siri or Google Now have become quite popular since they were first seen in the mid-2000s. These and others, such as Cortana and Alexa have made our phones, computers and even our homes voice controllable, letting us dial phone numbers, play music, adjust thermostats, or even unlock doors without touching our phones.
A recent study conducted at Zhejiang University in China has shown that such speech recognition systems are vulnerable to hidden commands that the researchers are calling “Dolphin Attacks.” How do you hide a voice command? Make it ultrasonic. Humans hear sounds between 20 Hz and 20kHz. If you record a phrase, and shift it above 20 kHz, then play it back, you can’t hear it, but dogs, bats, dolphins and, unfortunately, phone and computer microphones can.
“Dolphin Attacks” can be used to:
- Open malicious websites, which can launch a drive-by-download attack or exploit a device with 0-day vulnerabilities.
- Spy on users by initiating outgoing video/phone calls, therefore getting access to video or sound of the devices surroundings.
- Inject fake information by sending fake text messages and emails, online posts, calendar events, etc.
- Deny service, by turning on airplane mode, disconnecting all wireless communications.
- Conceal attacks by dimming the targeted device’s screen and lowering its speaker volume.
Which systems are vulnerable?
Vulnerable systems include Siri, Google Now, Samsung S Voice, Huawei HiVoice, Cortana and Alexa. A similar study in the U.S. also demonstrated Alexa’s vulnerability.
The Zhejiang University researchers have also proposed both hardware and software fixes for this vulnerability, but it will take time for vendors to implement them. In the mean time, you might be asking yourself “Do I need to protect yourself from Dolphin Attack?”
Not yet found in the wild
It is important to note that neither study shows any evidence of this vulnerability having been exploited in the wild. The researchers used special equipment and the experiment showed that due to background noise about as loud as that produced by an air conditioner or conversational speech, vulnerability dropped off quickly beyond 5 or 6 feet away.
These experiments remind us of a few common sense precautions that just happen to be good advice for other reasons, and may help if you’re really worried about Dolphin Attack:
- Never leave your phone, laptop, tablet or computer unattended in a public place.
- Be aware of your surroundings, and those around you; report suspicious behavior to law enforcement or building security.
- Consider disabling voice activation of speech recognition apps, e.g., “Hey Siri” or “Ok, Google” using the push button activation instead. Note that this will also prevent those awkward moments when multiple phones respond to “Hey Siri” or “Okay, google….”
- Consider disabling access to voice commands from the lock screen. Note that doing so can also help protect your privacy if you lose your device.