Breaking

Surfing attack manipulates voice assistant devices to extract information

According to researchers, ultrasonic waves can be deployed to manipulate voice assistants to interact with the attackers fetch sensitive data, make fraudulent calls, read two-factor authentication codes, and more.

What is Surfing attack?

This new type of ultrasonic waves that is being propagated using acoustic transmission which uses inaudible commands that can sneak pass the victim’s listening frequency to interact with the voice assistant is called as Surfing Attack. Surfing Attack can be executed even 30 feet away from the target device, and it was published by researchers from the University of Nebraska-Lincoin and the Michigan State University, Washington University in St. Lous, Chinese Academy of Sciences. The attack was presented in Network Distributed System Security Symposium (NDSSS) in San Diego last month.

How is Surfing attack executed?

MEMS Microphone is like a diaphragm and helps assistants by receiving the sound and lights, converts them to electric signals which is further decoded into commands. Since the microphones are nonlinear in nature, attackers can transmit malicious ultrasonic signals using a piezoelectric transducer by placing it below the table. To keep it discreet, attackers may deploy a guided wave and reduce the volume of the device thus keeping the attack completely concealed.

After successfully establishing the connection, attackers can use very simple commands like ‘read my messages’ or ‘call John’ etc using text-to-speech (TTS) systems to control and manipulate the device in a unnoticeable way. 

Devices that can be vulnerable to this attack

Researchers have made some tests with different voice assistant devices to identify the vulnerable ones, based upon those research devices such as Apple iPhone, Google Pixel, Samsung Galaxy S9, and Xiaomi Mi 8, were found vulnerable. However, Huawei Mate 9 and Samsung Galaxy Note 10+ tested negative for this attack. As per researchers, this failure could be because of the structure and material of the phone body. Also IoT devices like Google Home and Amazon Echo are the major devices that incorporate voice commands, but luckily they appear to be immune against this attack.

Though Surfing attack appears to be little serious, this isn’t new to the cyber industry as other attacks like BackDoorLipRead and Dolphin Attack have already exploited the nonliterary in microphones and deploy voice commands. Also, another critical study by a Tokyo-based University found laser lights can be used to inject ultrasonic commands into smartphones and speakers, which could be used to manipulate and control them to perform certain specific actions like unlock doors, start the engine in cars, make online purchases and more, this attack was called as Light Commands. However, this attack will require the laser to be in direct contact with the target device, however in case of Surfing attack no direct contact is required.

With an increase in voice based attacks, security professionals need to establish some robust security policies and the security vendors need to come up with a very effective solution against voice manipulation methodology.

Subscribe to ‘The Cybersecurity Times’, for daily alerts on cyber events. You can also follow us on FacebookLinkedinInstagramTwitter and Reddit.

Share the article with your friends
William Marshal

William has been one of the key contributors to 'The Cybersecurity Times' with 9.5 years of experience in the cybersecurity journalism. Apart from writing, he also like hiking, skating and coding.

Recent Posts

Best Microsoft Intune Alternatives: Top 5 MDMs to Consider

Explore the top 5 best Microsoft Intune alternatives, comparing key features, user reviews, and capabilities…

2 days ago

Top 7 Best Smartphones with Best Security Features in 2024

Discover the top 7 smartphones of 2024 with best security features, offering privacy, performance, and…

3 weeks ago

Top 11 Log Management Tools for Efficient System Management

Discover the top 11 log management tools for efficient system management and monitoring. Learn about…

2 months ago

Top 5 Threat Intelligence Tools For 2024

Explore the top 5 threat intelligence tools, their features, and how they enhance cybersecurity against…

2 months ago

Privileged Access Management: 5 Best PAM Solutions in the Market

Explore the top 5 best PAM Tools, market trends, and expert insights to secure the…

2 months ago

Apple Device Management: Top Solutions for iOS and macOS Management

Explore the top solutions for Apple Device Management including to iOS Device Management and macOS…

2 months ago