Hackers Could Remotely Hijack Siri and Google Now

Two European researchers have found that it's possible to commandeer voice-controlled agents like Siri [pictured] or Google Now on smartphones, and use that access to surreptitiously execute commands on those devices. The strategy involves using intentional electromagnetic interference (IEMI) to gain control via headset microphones connected to smartphones, the researchers said.

José Lopes Esteves and Chaouki Kasmi, researchers with the Agence nationale de la sécurité des systèmes d'information, the French National Agency for Computer Security, described their findings in a paper published by the Institute of Electrical and Electronics Engineers (IEEE) in August.

The researchers said that they contacted Google and Apple about their research. They also called attention in their report to the need for more security investigations into vulnerabilities involving voice interfaces on smartphones and other devices.

Headphones = 'Gateway for Voice Commands'

In the article, "IEMI Threats for Information Security: Remote Command Injection on Modern Smartphones," Lopes Esteves and Kasmi described how electromagnetic interference could use smartphone-connected headphones as an antenna to establish a "gateway for the injection of voice commands."

Putting that gateway to use requires the ability to use a voice interpreter, the researchers said. On devices on which Google Now or Apple's Siri digital personal assistants have been activated, the electrical signals could be modulated to generate a keyword command like "OK, Google" or "Hey, Siri," and begin issuing commands to those devices.

Lopes Esteves and Kasmi give several examples of how that access could be put to use by malicious actors. It could, for instance, enable espionage by triggering a smartphone voice call to capture sounds in the surrounding area. It could also be used in a more wide-ranging attack on local devices to force victims' phones to activate paid telephone services or visit malicious Web pages.

'Tradeoff Between Security and Usability'

The researchers describe several ways...

Comments are closed.