Google Voice and Siri by Apple have given smartphone owners by the millions a way of doing everything from drafting emails to getting directions by barely raising a finger. Now French security researchers say that hackers can do just as much on a victim’s device, and without even being within sight.
Jose Lopes Esteves and Chaouki Kasmi, a pair of researchers working for the government of France, demonstrated in a recent journal article how Android and Apple smartphones are susceptible to silent attacks that are achieved by exploiting the way those devices process electrical signals.
“Numerous papers dealing with the analysis of electromagnetic attacks against critical electronic devices have been made publicly available. In this paper, we exploit the principle of front-door coupling on smartphones headphone cables with specific electromagnetic waveforms,” reads an abstract of their research published in August by the Institute of Electrical and Electronics Engineers.
According to their report, “The possibility of inducing parasitic signals on the audio front-end of voice-command-capable devices could raise critical security impacts,”
When an attacker is within range of a smartphone that’s been outfitted with headphones — specifically any model containing a built-in microphone — then the French duo say their new “silent remote voice command injection technique” can be used to feed different commands to the commandeered device.
With the right equipment, the hack can be carried out as far away as 16 feet — more than enough room to breath for anyone who wants to ask questions to a stranger’s Siri.
SEE ALSO: Naval Academy teaching future sailors to use sextants amid cyberwar fears
“Their clever hack uses those headphones’ cord as an antenna, exploiting its wire to convert surreptitious electromagnetic waves into electrical signals that appear to the phone’s operating system to be audio coming from the user’s microphone,” Andy Greenberg wrote for Wired on Wednesday.
Although the French team’s findings went largely unnoticed in the first two months after publication, Mr. Greenberg’s article generated new curiosity concerning the exploit — an unconventional attack that can affect potentially tens of millions of targets.
“To use a phone’s keyboard you need to enter a PIN code. But the voice interface is listening all the time with no authentication,” Vincent Strubel, the director of the research group at France’s ANSSI, explained to Wired. “That’s the main issue here and the goal of this paper: to point out these failings in the security model.”
“The sky is the limit here. Everything you can do through the voice interface you can do remotely and discreetly through electromagnetic waves,” the report reads.
The researchers told Wired that Apple and Google have both been contacted about the vulnerabilities.
• Andrew Blake can be reached at ablake@washingtontimes.com.
Please read our comment policy before commenting.