Manipulating Systems Using Remote Lasers

Many systems are vulnerable:

Researchers at the time said that they were able to launch inaudible commands by shining lasers — from as far as 360 feet — at the microphones on various popular voice assistants, including Amazon Alexa, Apple Siri, Facebook Portal, and Google Assistant.

[…]

They broadened their research to show how light can be used to manipulate a wider range of digital assistants — including Amazon Echo 3 — but also sensing systems found in medical devices, autonomous vehicles, industrial systems and even space systems.

The researchers also delved into how the ecosystem of devices connected to voice-activated assistants — such as smart-locks, home switches and even cars — also fail under common security vulnerabilities that can make these attacks even more dangerous. The paper shows how using a digital assistant as the gateway can allow attackers to take control of other devices in the home: Once an attacker takes control of a digital assistant, he or she can have the run of any device connected to it that also responds to voice commands. Indeed, these attacks can get even more interesting if these devices are connected to other aspects of the smart home, such as smart door locks, garage doors, computers and even people’s cars, they said.

Another article. The researchers will present their findings at Black Hat Europe — which, of course, will be happening virtually — on December 10.

Posted on December 1, 2020 at 6:13 AM8 Comments

Comments

Clive Robinson December 1, 2020 8:16 AM

You see,

“The paper shows how using a digital assistant as the gateway can allow attackers to take control of other devices in the home:”

Yet people still think I’m weird because as a “technologist” I don’t have a house full of that stuff.

More frightening is some people are trying to turn TV’s into “digital assistants” so the companies can steel more PPI and also make you vulnerable to these sorts of attacks…

I find myself asking in my head “when are these people going to learn”…

The only real reasons more people are not attacked by their “digital assistants” are,

1, It’s a very target rich environment.
2, The usual cyber-crooks have not yet found a safe and easy way to make money off of them.

For those that have households full of this junk, let me jut say, I hope for your sake reason two does not change any time soon.

wiredog December 1, 2020 8:26 AM

Tech Enthusiasts: Everything in my house is wired to the Internet of Things! I control it all from my smartphone! My smart-house is bluetooth enabled and I can give it voice commands via Alexa! I love the future!

Technologists/Security Engineers: The most recent piece of technology I own is a printer from 2004 and I keep a loaded gun ready to shoot it if it ever makes a noise I don’t recognize.

Goat December 1, 2020 10:13 AM

This is an interesting thing but probably the average joe using such devices in their home are more likely to be pawned using password dumps. The best this reasearch may do is deter some buyers.. Where even the snowden revelations weren’t enough as most information flows through survelliance capitalists. ..Alexa stop typing 😉

Peter December 2, 2020 7:29 AM

The only IoT things I have in my home is a couple of “smart plugs” that can be switched on and off remotely, but also measure energy consumption, voltage, etc., record it at intervals and send to a server, so I can get CSV files of data to process. I plan to build a photovoltaic array as a supplemental / backup source of electricity so I need some measurements to see what I could power with the small sunlit area I have at my disposal and if it makes sense at all. I am taking a calculated risk – if these get hacked, someone could turn off the equipment being measured, the biggest risk is turning off my fridge – but I will notice it after a few hours at most so not a big risk at all.

After I finish the measurements I am going to repurpose them as Christmas lights controllers.

k15 December 2, 2020 4:25 PM

Is there a way to disable Siri, ok google, and other such assistants on android and ios mobile phones?

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.