Dolphin Attack – Another new threat:
Can you think of a scenario where your smartphone starts making calls, sending text messages or browsing malicious websites automatically without your knowledge? Interestingly, hackers are making this possible with Siri or Google Now (phone’s assistant). Chinese security researchers from Zhejiang University have found an innovative activation of your voice recognition systems by exploiting a security vulnerability which is common among all voice assistants.
Known as Dolphin Attack, this technique works as per commands of ultrasonic frequencies that are too high for us but perfectly audible to the microphones of your devices. The cybercriminals can utter commands into your smartphones and hijack Siri or Google Now and make them open your smart lock to access malicious websites.
This attack can function on all voice recognition platforms and can affect both iOS and Android mobile platforms. Thus, your device is at risk irrespective of iPhone, Nexus or Samsung device. Since smartphone allows users a broad functionality through voice commands like calling, sending SMSs, accessing any web page or setting the phone to airplane mode, the researchers were able to order an iPhone successfully.
The research also says any cybercriminal can send inaudible voice commands to the device forcing to perform malicious tasks like:
- Visiting any malicious website – resulting in exploitation of the victim’s device with zero-day vulnerabilities.
- Spying — instructing the victim’s phone to start an outgoing video or phone calls and get access to the images and surrounding sound of the phone.
- Adding bogus information — instructing the victim’s phone to send fake emails or SMS’ to publish fake information or even adding baseless events to the planner calendar.
- Denial of Service — adding commands to turn on the ‘airplane mode,’ and then taking the device offline by disconnecting all wireless communications.
- Concealing attacks — in order to hide the attack, the criminals many times minimize the odds by dimming the screen and lowering the device volume.
Normally, the signal given by the researchers was between 25 to 39kHz. They managed to make the attack work at 175cm, which is a practical figure for sure.
The worry of Dolphin attack:
Dolphin Attack works on anything including Siri, Google Assistant, Samsung S Voice, Huawei Hi Voice, Cortana, and Alexa, on devices such as smartphones, iPads, MacBooks etc. The voice commands that are not audible can be perfectly recognized by the SR [speech recognition] systems on the tested hardware and function even if the criminal has no direct connection to your device and inspite of all the necessary security measures taken.
How to prevent Dolphin Attacks?
In order to prevent this attack, device manufacturers are making few hardware alterations to fix the vulnerability by simply programming the mobile devices to ignore voice commands at inaudible frequencies or at 20 kHz.
From users’ perspective, a prompt solution to avoid Dolphin attacks is to turn off voice assistant apps from settings, before any official patch reaches your device. In order to disable Siri, just go to your iOS device’s settings → General → Accessibility → Home Button → Siri and then toggle “Allow Hey Siri” to off. If you wish to turn off Google Home, you can mute Google Home’s microphones, press and hold its physical mute button at the back. Using an antivirus software is advisable
Read More – Blog eScan