Researchers at the University of Electro-Communications in Tokyo and University of Michigan report that laser pointers could allow hacking into popular voice-controlled devices, even if the hacker is hundreds of feet away.
Smart devices use microphones to translate sound into electrical signals, which can pass commands to the device. Researches found that microphones can respond the same way when there’s a focused light pointed directly at them. This means that voice-controlled devices like Alexa, Siri and Google Assistant can be controlled by hackers, using a simple laser pointer. The thing is, home speakers are not the only ones in danger. Your smart phone is too!
Risks associated with these attacks range from benign to frightening depending on how much a user has tied to their assistant. The researchers were able to unlock a victim’s smart-lock protected home doors, or even locate, unlock, and start various vehicles in their demonstrations. In short, once an attacker gains control over a voice assistant a number of other systems could be open to their manipulation.
In the worst cases, this could mean dangerous access to e-commerce accounts, credit cards, and even any connected medical devices the user has linked to their assistant.
The hacker would only need to be in the object’s line of sight, to be able to hack it. No password or PIN code is required to hijack a device with a light command. Your tablet, speaker, or phone can also be hacked, if an attacker points a laser at them, say, through a window.
An article on the University of Michigan’s website gives a breakdown of the study:
The range of these attacks is limited only by the intensity of an attacker’s laser and his line of sight. In one particularly compelling demonstration, the team used a laser from 75 meters away, at a 21° downward angle, and through a glass window to force a Google Home to open a garage door; they could make the device say what time it was from 110 meters away.
17 voice-controlled devices were tested in the experiment (including iPhone, iPad, Samsung Galaxy, Google Home, Google Pixel, Echo Dot and Fire Cube). The devices had Siri, Alexa, Google Assistant and Facebook Portal enabled:
To highlight the ease of exploiting this weakness, the researchers aimed and focused their light commands with nothing more than a telescope, a telephoto lens, and a tripod. They benchmarked its effectiveness on 17 different devices hosting the range of most popular assistants.
The surprising discovery is presented in the paper “Light Commands: Laser-Based Audio Injection Attacks on Voice-Controllable System”.