A report was published last week by a group of researchers who were able to use lasers to control the three biggest smart assistants, Siri, Alexa and Google Assistant. The devices received inaudible, sometimes invisible, commands from the lasers. The researchers were able to send commands such as asking the smart assistants to unlock doors or to unlock and start vehicles.
Due to voice-controlled systems often not requiring any form of authentication, the attack can be used without needing a PIN or a password. Although some systems do ask for a form of authentication when carrying out certain tasks, many of these devices don’t have a limit on the amount of tries a user can have, so in many cases it can be feasible to brute force a PIN.
The low-powered lasers used in the attacks by the researchers can travel as far as 110m (360 feet), giving attackers a lot of flexibility as to where they can send commands from. These lasers are also able to penetrate glass, allowing the attack to take place from building to building providing the susceptible device is next to a closed window.
The attack is exploiting a vulnerability in microphones that use micro-electro-mechanical systems, MEMS. The microscopic components of the MEMS microphones unintentionally respond to light as though it was sound. Although the researchers only tested Google Assistant, Alexa, Siri, Facebook Portal and a handful of phones and tablets, they believe that the Light Commands attack will work on any device that uses MEMS microphones.
In a research paper titled Light Commands: Laser-Based Audio Injection Attacks on Voice-Controllable Systems, the researchers wrote:
“We show how an attacker can use light-injected voice commands to unlock the target’s smart-lock protected front door, open garage doors, shop on e-commerce websites at the target’s expense, or even locate, unlock and start various vehicles (e.g., Tesla and Ford) if the vehicles are connected to the target’s Google account.”