Researchers working at Michigan State University, the Chinese Academy of Sciences, the University of Nebraska-Lincoln, and Washington University in St. Louis have released a paper describing what they call the "SurfingAttack:" a way to send messages to voice-activated assistant systems using ultrasonic-guided sound waves.
"We want to raise awareness of such a threat," claims Ning Zhang, assistant professor of computer science and engineering at the McKelvey School of Engineering, of his team's reason for releasing details of the vulnerability. “I want everybody in the public to know this. I feel like not enough attention is being given to the physics of our computing systems. This is going to be one of the keys in understanding attacks that propagate between these two worlds."
While ultrasonic attacks on voice-activated assistant systems like Google Home, Amazon's Alexa, and Apple's Siri aren't new, they typically require line-of-sight to the target device. The SurfingAttack, by contrast, is able to attack targets which are not visible to the attacker — and in a way which is inaudible to occupants of the same room — by sending the signal through the surface of a table, rather than through the air.
"To accomplish SurfingAttack, we have solved several major challenges," the team explains in the abstract to their paper. "First, the signal has been specially designed to allow omni-directional transmission for performing effective attacks over a solid medium. Second, the new attack enables multi-round interaction without alerting the legitimate user at the scene, which is challenging since the device is designed to interact with users in physical proximity rather than sensors."
While SurfingAttack is novel for its ability to pass its attack signal through solid surfaces — including transmission via glass, metal, and wooden tables — it's not the first successful inaudible attack against voice recognition systems: Late last year, researchers used crossing ultrasonic beams to send otherwise-inaudible commands to voice assistant systems, while those based on MEMS microphones can be targeted and controlled using lasers.
The researchers have developed several ways to mitigate the vulnerability. The simplest of these is to put a tablecloth or other woven material between the device and the table surface to damp the vibrations from the ultrasonic signal; others require rather more work, such as the development of software which could reject commands received outside the frequency of human voices or physically moving the location of the microphone. Another alternative may be to jam the signal using a rival ultrasonic emitter.
More information, including a full copy of the paper under open-access terms, can be found on the SurfingAttack website.