An attack “ SurfingAttack '' that can operate the smartphone arbitrarily with “ ultrasonic waves transmitted through the desk and floor '' is reported
With the advent of voice assistant AI, like Apple's Siri and Google Assistant, it has become possible to operate smartphones only by voice. However, through such a voice operation function, a third party accesses a smartphone with "ultrasonic transmitted to the desk"SurfingAttackHas been reported.
SurfingAttack: Interactive Hidden Attack on Voice
Assistants Using Ultrasonic Guided Waves
SurfingAttack, discovered by a joint research team such as Michigan State University and the Chinese Academy of Sciences, modulates the voice command of the smartphone to “ a frequency band that humans can barely hear '', and it can be obtained for about 500 yen eachPiezoelectric transducerCan be used to send an attack signal to a smartphone via a table.
The actual movie that demonstrates SurfingAttack can be seen in the following movie.
(embed) https://www.youtube.com/watch?v=pQw2zRAqVnI (/ embed)
Google Pixel, Galaxy S7 and Xiaomi M15 are placed on the desk along with books, notebooks and stationery. The coin-sized element at the bottom right of the screen is the piezoelectric transducer.
When a voice command converted to ultrasonic waves was transmitted from the piezoelectric transducer, the screens of all smartphones were turned on and the voice assistant was activated.
Also, any voice command can be converted to ultrasonic waves by a PC and transmitted by a piezoelectric transducer. After sending a voice saying "Shoot a selfie" …
Despite no one touching, the smartphone activated the camera and began selfie shooting.
If you send the ultrasonic signal "Take a selfie" many times, a selfie will be taken each time.
You can also adjust the volume of your smartphone …
You can also have your voice assistant read out the SMS with the two-step verification code.
In addition, we succeeded in making any party make a call by voice operation.
According to the research team, the success of SurfingAttack was confirmed by Apple.iPhone 5,iPhone 5s,iPhone 6+,iPhone X, GooglePixel,Pixel 2,Pixel 3The MotorolaMoto G5,Moto Z4, SamsungGalaxy S7,Galaxy S9, XiaomiMi 5,Mi 8,Mi 8 Lite, HuaweiHonor View 10,Mate 9In each case, voice operation is possible with ultrasonic waves around 30kHz. Also, even if it is protected with a silicone rubber smartphone case, SurfingAttack passed.
SurfingAttack has been reproduced on desks made of various materials such as metal, glass, plastic, etc.Since small and thin piezoelectric transducers can be hidden easily by laying a table cloth, it is a sufficiently realistic attack method The research team pointed out and listed the following six measures as measures.
・ Beware of devices placed on the desk
・ Reduce the contact area between desk and mobile phone
・ Place the smartphone on a soft cloth, etc., instead of directly on the desk
・ Use a thick smartphone case made of rare materials such as wood
Turn off personal search results on lock screen on Android
・ Disable voice assistant on the lock screen and lock it whenever you put your smartphone