Two European researchers have found that it’s possible to commandeer voice-controlled agents like Siri [pictured] and Google Now on smartphones, and use that access to surreptitiously execute commands on those devices. The strategy involves using intentional electromagnetic interference (IEMI) to gain control via headset microphones connected to smartphones, the researchers said.
José Lopes Esteves and Chaouki Kasmi, researchers with the Agence nationale de la sécurité des systèmes d’information, the French National Agency for Computer Security, described their findings in a paper published by the Institute of Electrical and Electronics Engineers (IEEE) in August.
The researchers said that they contacted Google and Apple about their research. They also called attention in their report to the need for more security investigations into vulnerabilities involving voice interfaces on smartphones and other devices.
Headphones = ‘Gateway for Voice Commands’
In the article, “IEMI Threats for Information Security: Remote Command Injection on Modern Smartphones,” Lopes Esteves and Kasmi described how electromagnetic interference could use smartphone-connected headphones as an antenna to establish a “gateway for the injection of voice commands.”
Putting that gateway to use requires the ability to use a voice interpreter, the researchers said. On devices on which Google Now or Apple’s Siri digital personal assistants have been activated, the electrical signals could be modulated to generate a keyword command like “OK, Google” or “Hey, Siri,” and begin issuing commands to those devices.
Lopes Esteves and Kasmi give several examples of how that access could be put to use by malicious actors. It could, for instance, enable espionage by triggering a smartphone voice call to capture sounds in the surrounding area. It could also be used in a more wide-ranging attack on local devices to force victims’ phones to activate paid telephone services or visit malicious Web pages.
‘Tradeoff Between Security and Usability’
The researchers describe several ways in which people can defend against such IEMI attacks on their phones. Defensive measures include disabling voice controls when they’re not being used and disconnecting headphones.
However, there is a tradeoff between security and usability with these voice control services, Lopes Esteves and Kasmi noted. They added that device manufacturers and other service providers might consider reducing the accessibility of some critical features to voice control, integrating improvements in speech recognition or even adding better protection to headphone cables.
Apple already appears to be working on more finely tuned speech recognition for Siri. Its latest version of the mobile operating system for iPhones and other devices — iOS 9 — includes a feature for “voice training” Siri to better recognize the device user’s voice.
“This was an interesting attack vector and usage of radio equipment to trigger functionality on the phone remotely,” Zuk Avraham, founder and CTO of the IT security firm Zimperium, told us. Zimperium uncovered the massive Stagefright vulnerability in Android phones earlier this year. Avraham called the researchers’ idea “creative and novel.”
Outside of the lab, however, the IEMI attack vector shouldn’t cause too much concern for smartphone owners, as “the attack prerequisites reduce the number of vulnerable users significantly,” according to Avraham. Up-to-date mobile security would protect users by preventing unauthorized access to malicious sites, he said.
Users who want to ensure they don’t fall victim to IEMI attacks should turning off intelligent assistants when they’re not in use, Avraham said. And, “If you have to use Siri or Google now, make sure that headphones with microphone are not connected,” he added.
