Hear no evil: Ultrasound attack on voice assistant

Regular WeLiveSecurity readers won’t be surprised to read that cyber-attacks and their methods are constantly evolving as bad actors continue to increase their repertoire. It’s also a common refrain that when security vulnerabilities are discovered and patched (unfortunately, sometimes after being exploited), bad actors find new loopholes in the software’s defenses.

Sometimes, however, it’s not “just” (other) security holes that make headlines, but new forms of attack. This also happened recently with a somewhat unconventional attack method dubbed NUIT. Good news? NUIT was dug up by academics and there are no reports of anyone exploiting it for pranks or cybercrime. That said, it doesn’t hurt to be aware of the other ways in which your privacy and security can be compromised – as well as about the fact that NUIT can actually come in two forms.

How NUIT saw the light of day

NUIT, or Near-Ultrasound Inaudible Trojan, is a class of attack that can be used to launch a stealthy and remote takeover of devices that use or are supported by voice assistants such as Siri, Google Assistant, Cortana, and Amazon Alexa. As a result, any device that accepts voice commands – think your phone, tablet or smart speaker – could become open season. In the end, such attacks can have some dire consequences, ranging from invasion of privacy and loss of trust to even compromise of the company’s infrastructure, which in turn can result in huge monetary losses.

Described by the research team at the University of Texas at San Antonio (UTSA) and the University of Colorado Colorado Springs (UCCS), NUIT is possible because the microphones in digital assistants can respond to near ultrasound waves playing from speakers. Even if you can’t hear it, this voice command prompts the always-on voice assistant to perform an action – say, turn off the alarm, or open the front door that’s secured with a smart lock.

To be sure, NUIT isn’t the first acoustic attack to make waves in years. Previously, attacks with equally interesting names have been described – think SurfingAttack, dolphin attack, Lip reading and SlickLogin, including several other silent attacks that also target smart home assistants.

Late at night

As mentioned, NUIT comes in two forms: They are:

• NUITS 1 – This is when the device becomes both a source and a target for attacks. In such cases, all it takes is for the user to play an audio file on their phone causing the device to perform an action, such as sending a text message with its location.

(embed)https://www.youtube.com/watch?v=TUnPFR35AR4(/embed)

• NUITS 2 – This attack is launched by a device with a speaker to another device with a microphone, such as from your PC to a smart speaker.

(embed)https://www.youtube.com/watch?v=mFmS4vvL8ko(/embed)

For example, let’s say you’re watching a webinar on Teams or Zoom. A user can ring himself and play a sound, which will then be picked up by your phone, prompting him to visit a malicious website and compromise the device with malware.

Alternatively, you can play YouTube videos on your phone with speakers, and the phone will then perform unreasonable actions. From the user’s point of view, this attack doesn’t require any special interaction, which makes it even worse.

Should NUIT keep you up at night?

What would it take to carry out such an attack? Not much, though, for NUIT to work, the speaker it’s launched from needs to be set to a certain volume level, with commands lasting less than a second (0.77 seconds).

Other than that, obviously you have to activate your voice assistant. According to the researchers, out of 17 devices tested, only Devices that support Apple Siri are more difficult to crack. This is because a hacker needs to first steal your unique voice fingerprint for the phone to accept commands.

That’s why everyone should set their assistant to work only with their own voice. Alternatively, consider turning off your voice assistant when you don’t need it; indeed, maintain your cyber intelligence while using any IoT devices, as all kinds of smart devices can become easy prey for cybercriminals.

Doctor’s orders

The researchers who will also be presenting their NUIT research at the event 32^t USENIX Security Symposium, also recommends that users scan their devices for random microphone activations. Android and iOS devices display microphone activation, usually with a green dot on Android, and a brown dot on iOS at the top of the screen. In this case, also consider reviewing your app’s permissions for microphone access, as not all apps need to listen to your surroundings.

Likewise, listen to audio using earphones or a headset, because then, you’re less likely to share your sound with your surroundings, protecting against attacks like this.

This is also a good time to make sure you have the basics of cybersecurity up to date – keep all your devices and software up to date, enable two-factor authentication on all your online accounts, and use reputable security software on all your devices.