{"id":90397,"date":"2019-11-07T04:04:15","date_gmt":"2019-11-07T12:04:15","guid":{"rendered":"https:\/\/www.intego.com\/mac-security-blog\/?p=90397"},"modified":"2021-11-03T14:03:24","modified_gmt":"2021-11-03T21:03:24","slug":"researchers-use-lasers-to-hack-siri-alexa-google-assistants","status":"publish","type":"post","link":"https:\/\/www.intego.com\/mac-security-blog\/researchers-use-lasers-to-hack-siri-alexa-google-assistants\/","title":{"rendered":"Researchers use lasers to hack Siri, Alexa, Google assistants"},"content":{"rendered":"

\"\"Researchers have used programmable low-powered lasers to remotely control voice-activated personal assistants like Apple’s Siri, Amazon’s Alexa, and Google Assistant from up to 360 feet away. These attacks exploit a vulnerability in microphones using micro-electro-mechanical systems (MEMS), which the researchers have discovered will respond to lasers the same way they will respond to sound.<\/p>\n

The attack method, called Light Commands, was only tested on the three big-name players in the personal assistant space, but the researchers believe this attack will affect any microphone that uses MEMS (presumably including devices with Microsoft Cortana, Baidu DuerOS, or other digital assistants).<\/p>\n

Although the attack is essentially a proof-of-concept at this stage, and has significant limitations (like requiring direct line-of-sight to the device), the researchers admit that they don\u2019t fully understand why this exploit works, which could open the door to others finding ways to make it even more effective.<\/p>\n

Voice-activated systems vary in the level of control they allow over a device without first gaining user authentication. Apple\u2019s track record with Siri is mostly decent in this sphere, with most critical voice-activated functions requiring a passcode or biometric verification (i.e. Touch ID or Face ID) before completing the request.<\/p>\n

In some circumstances, the Light Commands attack method can be used to brute-force a device passcode, so the usual security advice applies: choose a complex and not easily-guessable passcode, and set up your device to lock after a certain number of incorrect attempts. Even that basic level of security should protect you against this new and admittedly sci-fi sounding method of remote device hacking.<\/p>\n

You can find out more about the Light Commands attack at Ars Technica<\/a>\u00a0or at the Light Commands<\/a> homepage.<\/p>\n

Related:<\/em><\/p>\n

Researchers came up with a similar attack called DolphinAttack<\/a> in 2017, where inaudibly high-pitched voice commands were used to control an iPhone.<\/p>\n

\"\"<\/a>

DolphinAttack<\/a> is a method of sending a Hey Siri voice command in such a high pitch that humans cannot hear it. Image: Guoming Zhang\u00a0via\u00a0YouTube<\/a>.<\/p><\/div>\n

How can I learn more?<\/h3>\n

\"\"<\/a>This week on the Intego Mac Podcast<\/strong>\u00a0episode 108<\/a>, Intego’s experts will discuss the new Light Commands attack, as well as Apple’s privacy policy page update<\/a>, and whether an iPad can replace your MacBook<\/a>. Be sure to follow the podcast<\/a> to make sure you never miss the latest episode.<\/p>\n