Surfing attack manipulates voice assistant devices to extract information

According to researchers, ultrasonic waves can be deployed to manipulate voice assistants to interact with the attackers fetch sensitive data, make fraudulent calls, read two-factor authentication codes, and more.

What is Surfing attack?

This new type of ultrasonic waves that is being propagated using acoustic transmission which uses inaudible commands that can sneak pass the victim’s listening frequency to interact with the voice assistant is called as Surfing Attack. Surfing Attack can be executed even 30 feet away from the target device, and it was published by researchers from the University of Nebraska-Lincoin and the Michigan State University, Washington University in St. Lous, Chinese Academy of Sciences. The attack was presented in Network Distributed System Security Symposium (NDSSS) in San Diego last month.

How is Surfing attack executed?

MEMS Microphone is like a diaphragm and helps assistants by receiving the sound and lights, converts them to electric signals which is further decoded into commands. Since the microphones are nonlinear in nature, attackers can transmit malicious ultrasonic signals using a piezoelectric transducer by placing it below the table. To keep it discreet, attackers may deploy a guided wave and reduce the volume of the device thus keeping the attack completely concealed.

After successfully establishing the connection, attackers can use very simple commands like ‘read my messages’ or ‘call John’ etc using text-to-speech (TTS) systems to control and manipulate the device in a unnoticeable way. 

Devices that can be vulnerable to this attack

Researchers have made some tests with different voice assistant devices to identify the vulnerable ones, based upon those research devices such as Apple iPhone, Google Pixel, Samsung Galaxy S9, and Xiaomi Mi 8, were found vulnerable. However, Huawei Mate 9 and Samsung Galaxy Note 10+ tested negative for this attack. As per researchers, this failure could be because of the structure and material of the phone body. Also IoT devices like Google Home and Amazon Echo are the major devices that incorporate voice commands, but luckily they appear to be immune against this attack.

Though Surfing attack appears to be little serious, this isn’t new to the cyber industry as other attacks like BackDoor, LipRead and Dolphin Attack have already exploited the nonliterary in microphones and deploy voice commands. Also, another critical study by a Tokyo-based University found laser lights can be used to inject ultrasonic commands into smartphones and speakers, which could be used to manipulate and control them to perform certain specific actions like unlock doors, start the engine in cars, make online purchases and more, this attack was called as Light Commands. However, this attack will require the laser to be in direct contact with the target device, however in case of Surfing attack no direct contact is required.

With an increase in voice based attacks, security professionals need to establish some robust security policies and the security vendors need to come up with a very effective solution against voice manipulation methodology.

Subscribe to ‘The Cybersecurity Times’, for daily alerts on cyber events. You can also follow us on Facebook, Linkedin, Instagram, Twitter and Reddit.