SurfingAttack Can Silently Control an iPhone from 30-Feet Away
Credit: Wachiwit / ShutterstockToggle Dark Mode
Researchers from Washington University in St. Louis have discovered a novel way of activating Siri on your iPhone without you knowing — ultrasonic waves.
Theses sound waves are silent to the human ear, so a hacker wouldn’t even have to say a word to make a phone call or take a photo using the virtual assistant on your iPhone.
Ultrasonic waves are sound waves, but they are transmitted at a high frequency that humans can’t hear.
Even though your ears are not able to detect ultrasonic waves, the microphone in many modern smartphones can and will respond to these ultrasonic “voice commands.”
Not only can ultrasonic waves control a phone from a distance, but a covertly placed microphone can also provide back and forth communication with the phone’s voice assistant.
Lead researcher Ning Zhang and his team were able to send ultrasonic voice commands to cellphones that were sitting on a nearby table. The piezoelectric transducer (PZT), which produces the ultrasonic waves, was hidden underneath the table along with a microphone. Using this setup, which they called a surfing attack, researchers were able to both make a phone call and listen to a message that was read back by the voice assistant.
The surfing attack was successful against phones from Apple, Google, Samsung, Motorola, Xiaomi, and Huawei.
Of the 17 phones tested, 15 were vulnerable.
Because these ultrasonic waves can travel through solid objects, Zhang was able to control the phone through glass, metal, and wood tables at a distance of up to 30 feet. It also worked through plastic, though not as reliably. Cell phone cases did little to prevent the attacks.
The best way to block the ultrasonic waves is apparently to use a tablecloth, which caused an “impedance mismatch.”
Users can also disable the voice assistant on the lock screen, as well as make sure they lock their phone whenever they put it down.
This research was presented recently at the Network and Distributed System Security Symposium in San Diego, California.
