A new study shows how an attacker could use inaudible ultrasound to silently take control of phones, smart speakers, or any device with a digital assistant.
In a study first reported by BleepingComputer, researchers found that you can use this technique to issue voice commands to devices to make phone calls, unlock doors in smart homes, disable alarms, read text messages and more. The attack was tested on digital assistants such as Alexa, Cortana, Google Assistant and Siri.
The technique, called NUIT (Near-Ultrasound Inaudible Trojan), was featured in a presentation for the USENIX Security Symposium 2023 by a team of researchers at the University of Texas at San Antonio and the University of Colorado Springs.
“NUIT is a new inaudible attack against voice assistants (Siri, Google Assistant, Alexa, Cortana) that can be executed remotely over the internet,” the researchers write on a website describing the study. You can see the attack in action in a series of YouTube videos.
The attack method takes advantage of digital assistants using microphones that can pick up sounds inaudible to the human ear. NUIT plays sounds in the near ultrasound frequency range (16kHz-20kHz) to issue voice commands to smart devices, with some commands taking less than a second to play.
The study shows that you can use NUIT in a few different ways. For example, an attacker can trick you into clicking a link to a website or YouTube video on your phone, which plays inaudible voice commands after a short delay to control your phone. The researchers showed that NUITs also work when controlling from one phone to another, playing over Zoom calls, playing on a phone to control a smart speaker or other IOT device, and even embedded in files with additional background music.
In testing, NUIT attacks seem to have managed to control devices such as iPhones, Samsung Galaxy phones, and Google Home and Amazon Echo Devices.
While such new attacks are difficult actions to face in the real world for now, with the rise of artificial intelligence, voice commands will become more important to our daily lives and voice exploits will be in demand more than ever.
Researchers will present more details about the work at the USENIX Security Symposium in August.