Some security researchers they found out a way to secretly hijack Siri and other digital assistants for smartphones using ultrasonic waves, sounds that normally cannot be heard by humans.
The attack, which is imperceptible to the human ear, can be used to read messages, make fraudulent phone calls or take photos without the user’s knowledge.
The exploit uses high frequency sound waves and imperceptible to activate and interact with the digital assistant of a device. While similar attacks have surfaced in the past, SurfingAttack focuses on the transmission of these waves through solid materials, such as tables.
The researchers found that they could use a $ 5 piezoelectric transducer, attached to the bottom of a table, to send these ultrasonic waves and activate a voice assistant without the user’s knowledge.
Using these unnoticeable ultrasonic waves, the team was able to activate voice assistants and issue commands to make phone calls, take photos or read a message that contained a two-factor authentication passcode.
To further hide the attack, the researchers first sent an imperceptible command to lower the volume of a device, and then record the responses using another device hidden under a table.
SurfingAttack has been tested on a total of 17 devices and has proven effective against most models. Some iPhone, Google Pixel and Samsung Galaxy devices are vulnerable to attack, although research has not found which specific iPhone models have been tested.
All digital assistants, included Siri, Google Assistant and Bixby, are vulnerable.
Only the Huawei Mate 9 and the Samsung Galaxy Note 10+ were immune to the attack, although researchers attribute this to the different sonic properties of their materials. They also noted that the attack was less effective when used on tables covered with a tablecloth.