Your smart phone could be triggered remotely to dial a phone number run by cyber thieves to download cash. How? By sending radio waves that take over an iPhone Siri or Google Now voice command system, according to researchers at the French ANSSI network and information security agency.
An article this week in Wired details their paper, published by the IEEE (you have to pay for it), of the hack, dubbed a remote command injection. The attack mechanism is a laptop running the open-source software GNU Radio, a USRP software-defined radio, an amplifier, and an antenna about the size of your arm. OK, that’s one problem — hiding the antenna. Researchers think it could be concealed in a backpack.
Second, the hack only works if the smart phone owner is using headphones with a microphone. The headphone cable acts as the receiving antenna for the radio commands. Third, Siri or Google Now has to be enabled — and it won’t work if the smart phone is password-locked and the user is off-line, unless the phone allows the digital assistant to be enabled by voice command. Note also that some phones — the new iPhone 6s, for example, are capable of verifying the user’s voice. Fourth, the range of the system researchers created is at the most 16 feet, for a big version that needs to be hidden in a vehicle, and six feet for the backpack.
Still, Vincent Strubel, the director of their authors’ research group at ANSSI, is quoted by Wired as warning that “the sky is the limit here. Everything you can do through the voice interface you can do remotely and discreetly through electromagnetic waves.”
It didn’t take long for security vendors to issue commentary. “Leaving voice commands enabled from the locked phone is like locking your car with the windows down — you’ve done the right thing, but left a big hole in your strategy, said Tim Erlin, director of IT security and risk strategy for Tripwire. He says average users shouldn’t be worried, but government officials or those in sensitive positions at enterprises (we’re talking about you CISOs, network admins and database guardians) might think twice.
But Trustwave also wonders if the technique could also be used to attack systems like phone based credit processing or using the audio port for data transfer with IoT devices.
ANSSI researchers say equipment makers could make this attack more difficult through OS changes and using better shielding on headphone cables.
Your defence: Pay phones, snail mail.