Radio Waves Can Be Used To Hijack Androids and iPhones Via Siri and Google Now

An anonymous reader writes: Two French researchers have discovered a way to use the Siri and Google Now voice assistant software to relay malicious commands to smartphones without the user's consent or knowledge. This method relies on a special hardware rig that can send radio waves to smartphones with earphones plugged into them. The radio waves get picked up by the earphone cable, get transformed into electrical signals and then to software commands. The research is accompanied by a YouTube video as well. Note that this attack, as the article explains, so far relies on some bulky dedicated equipment, and on the attacker being close to the system he wants to disrupt.

That would be embarassing

[flarflue]

Ask someone's Siri where the horse dick is. Ask someone's Siri where the hard drugs are. Ask someone's Siri where the inflateable dolls are. Make sure you target politicians, you pranksters...

Time for...

[fyngyrz]

Time for an aftermarket add-on that goes in the phone jack that contains a low pass filter. Inductors, capacitors, pcb, input jack, output spike/plug, case.

If the paranoia grows sufficiently (or the threat actually does), it could be quite a moneymaker. You could probably sell a bunch at a premium to the various TLAs either way, as some of them are what one could reasonably describe as "professionally paranoid."

Fancy ones could have a LED that lights up using the shunted RF energy. A LED! Imagine that!

Or yo

Re:

[rst123]

Time for an aftermarket add-on that goes in the phone jack that contains a low pass filter. Inductors, capacitors, pcb, input jack, output spike/plug, case.

If the paranoia grows sufficiently (or the threat actually does), it could be quite a moneymaker. You could probably sell a bunch at a premium to the various TLAs either way, as some of them are what one could reasonably describe as "professionally paranoid."

I acknowledge the sarcasm, but please be careful, the marketing department might be listening.
On a more serious note, couldn't you just put a ferrite core on your headphones?

Re:

[BitZtream]

... yea, and it'll play over their head phones ... so no one will hear it ...

Next time read the summary, not the headline. Works with headphones pulled in by stimulating the microphone on the earbuds with RF.

No ear buds, no worky. With ear buds plugged in, no one will hear its response ... effectively no work.

Of course the required RF is going to cause other issues besides Now/Siri acting up, but go ahead continue to be ignorant and too stupid to realize this is nothing more than another sensationalist Sl

Risk

[fyngyrz]

You may be misunderstanding the risk, such as it is.

o Siri is given instructions via RF injection and incidental demodulation within the phone's mic input electronics.

o Siri performs an action you didn't ask it to do.

o You won't necessarily hear the instructions come in. In the cable, it's RF. Your earphones would also have to demodulate the signal. If they're purely inductive (most headphones are), they won't do that. If the circuitry they are plugged in to doesn't provide incidental demodulation (a lot less likely than an input like a mic input), it won't get back to the earphones that way either. Last chance is anything you say is fed back to your earphones by Siri / etc. Does it do that? My Galaxy Note 3 doesn't do that with Google voice. Why would it, anyway?

o If you're not looking at your phone, you might not even be aware this had happened. You might even be asleep. I nap with my earphones in, listening to music, on a fairly regular basis, for instance.

So while it's extremely unlikely to be any kind of an immediate threat because of the equipment and proximity issues, it actually might be able to cause problems in those rare cases where those issues do not prevent it. Mostly it depends on what the phone can be told to do, and what portion of that it will do without further interaction / confirmation.

Re:

[Muad'Dave]

No, but she can dial a $50/min phone number and run your bill up pretty quickly. Even innocuous-looking area codes can be costly - the Cayman Islands can be called from the US just like any other area code; in this case, 345. A call to 1-345-555-1212 looks like it would be covered under free 'long distance', right? Not. All of the entries of the form '1-xxx' in this table [countrycode.org] are lurking as costly international calls form the US.

See, Cortana is better

[unixisc]

Since the researcher did not try to see whether the same trick would work on a Lumia

Re:

[Anonymous Coward]

This attack is a good example of why I never wear headphones when listening to music on my phone. I just blare my music instead, which might annoy some people around me but actually I am doing them a favor by exposing them to culture and expanding their horizons. And anyway it is obviously the ONLY thing I can do to stay safe from this attack....so.....

Re:

[rmdingler]

FTA: "First off, it only works only when the headphones are plugged into the device, and the headphones have a microphone integrated, and aren't just simple music-listening earbuds."

So. Nay, varlet.

Re: Bad headline

[BronsCon]

Actually, good headline. Had you read the summary, you'd know that this attack requires a wired headset to be plugged in. Essentially (and wihout reading the article as I actually did something similar a few years back), they're sending an AM signal to the device via tha headphone cable at a multiple of the sample rate being used by the device's ADC, fooling it into thinking the radio signal coming throuh the antenna is an audio signal. Rather than try to guess the sample rate, they probably transmit at a multiple of 8000 and 22050hz; 176.4mhz would cover 4000, 8000, 16000, 22050, 24000, 44100, 48000, and 96000hz, actually. IIRC, I used 705.6mhz and only needed a handful of watts; the device could have been made about the size of a small home router including batteries and an in-built mp3 player to relay commands, but battery life would have been short-ish.

What is it about a headset jack that makes a phone a cellphone, again? I mean, I recall having a 47mhz cordless phone with a headset jack. Was that a cellphone? No.

Re:

[TWX]

Would this phenomenon explain why I've had a few times when amplified computer speakers have received and output radio stations? It's only happened a couple of times in the twenty years that I've played with computer speakers, but it's been really weird.

yes, AM radio. Mic input is more sensitive

[raymorris]

Yeah, it's the same idea. Microphone inputs are much more sensitive than speakers, so it happens a lot if you use a long mic cable but don't use the correct type, or if a connection is broken in the mic cable.

Am radio is basically the audio signal added to the radio signal. An antenna is a wire, and a wire is an antenna. So if you have a wire hooked up to a sound input which somehow does process the radio signal (such as by not being fast enough to do so), you can easily end up with just the AM audio coming through the wire/antenna to the audio input.

Re:

[KGIII]

Nope. That's the fillings in your teeth. /s

Re:

[hackwrench]

No, it's a bad headline because if fails to distinguish the attack mechanism from what I said.

Re:

[BronsCon]

Alright, Mr. Smartguy, care to suggest a better headline?

This headline accurately describes the issue. Of course it lacks the detail required to fully understand the issue, that's what the article is for; the summary should serve to provide enough detail to help determine whether the article might be interesting, and it also succeeds in its job.

There are plenty of opportunities to poke at Slashdot's "editorial" staff. This, however, is not one of them.

A good headline? easy.

[hackwrench]

RF pickup by wired headsets can be used to compromise smartphones.

Mentioning the brands of phone and AI assistant is superfluous, as those specifics can easily be swapped out for other smartphones as long as they can download any sort of command AI. It's the pickup approach that's novel. Put "that accept voice commands" if you wish to elaborate further.

Re:

[BronsCon]

From the perspective of the reader wanting to get as much information as quickly as possible, I suppose that's as close to perfect as a headline gets. From the perspective of a publication that wants eyeballs for as long as possible, it's the absolute opposite; something like "All Smartphones with Voice Control Compromised" would be ideal from that perspective. Of course, SEO needs to be considered, as well, in order to get in front of as many eyeballs as possible: "Android iPhone Siri Google Now Radio Hija

Re:

[hackwrench]

Also, I did not attempt to determine nor indicate the source of the headline. just that it was bad.

Defeat the attack

[Khyber]

Use BlueTooth headphones/headsets.

Re:

[KGIII]

Too cheap and too low tech - consider that some of these phones are the coveted iPhone.

Re:

[Khyber]

Most likely useless against a harmonic order attack like this. All you're doing here is fooling the phone into thinking the radio signal being shoved down the microphone wire is an audio signal. Low pass filter, as long as you're on a proper harmonic frequency, it'll still go through.

this is FBI/NSA/CIA style hacker shit

[strstr]

they can use radiowaves to remotely control and tap into/scan anything, even DRAM, CPU, brain/nerves, USB, keyboard, monitors.

the technique is called interferometry/electronic warfare but also you can do it with off the shelf parts. they call the off the shelf stuff van eck phreaking: https://en.wikipedia.org/wiki/... [wikipedia.org]

More info on the interferometry/electronic warfare kind used by our government from space satellites and over the horizon radar at http://www.drrobertduncan.com/ [drrobertduncan.com]

Info on interferometry: https:// [wikipedia.org]

"OK Google, install botnet software"

[Khyber]

"OK Google, begin DDoS script."

Imagine rolling through Times Square on New Years. Omnidirectional antenna on a micro version of this, get in the middle of the crowd, pwn everyone using wired headsets with a microphone, instant cellular botnet, and since you're not issuing commands from a cell phone or through the cellular network, you're not going to be traceable through that system.

You are effectively an invisible and untouchable attacker/control/command server. All you do is issue the command in a quick burst and go silent.

Re:

[TWX]

Omnidirectional antennae probably can't generate the desired effect.

Re:

[Guignol]

No, this is a french attack, we have to wave in your general direction...

Re:

[Khyber]

Just push enough power to it. Burst transmissions aren't that difficult to achieve.

Re:

[hackwrench]

Omnidirectional isn't important. What's important is that the RF be pretty close to some multiple of the length of the headset cord.

Voice recognition?

[WD]

OK, this is the sort of question that could be answered by RTFA, however when it's a 40-minute long video, I don't feel as bad.

When configuring Siri for voice activation, you go through some steps that give the impression that it's tuning the activation for your specific pattern of speech. Which presumably is to prevent false activation when somebody next to you is using the feature on their phone.

Assuming this is actually happening, would that prevent this sort of attack?

Re:

[jo_ham]

OK, this is the sort of question that could be answered by RTFA, however when it's a 40-minute long video, I don't feel as bad.

When configuring Siri for voice activation, you go through some steps that give the impression that it's tuning the activation for your specific pattern of speech. Which presumably is to prevent false activation when somebody next to you is using the feature on their phone.

Assuming this is actually happening, would that prevent this sort of attack?

I doubt it. The voice training just makes Siri respond more effectively to you when there are other noises around during activation. It can still be activated by someone else saying "Hey Siri" even after this training step (although commands are more limited if the iPhone is locked).

Fairly simple software fix...

[NicBenjamin]

Just have Siri or Ok Google say something whenever interpreting a voice command. Something simple like "OK Boss," would let the user know something is going on with their phone.

Which, of course, leaves the problem of how a non-tecvh-savy person would know that when your phone is doing weird shit you unplug the headphones, which is probably the harder thing to figure out, but hey.

Re:

[wbr1]

And the output you speak of comes through the headset. If that is not on a user, no bueno. However with Google now, if you have a screen lock it will not run commands without unlocking.

Re:

[NicBenjamin]

For the hack to work the headphones have to be plugged in. They are the attack vector. I can't think of a lot of use-cases where the headphones would be plugged in, but not in your ears.

Coax

[Daniel Matthews]

Just say'n.

Like shouting "Ok Google/Hey Siri" in public

[pipedwho]

I'd love to lean into the mic at a packed concert and say, "Ok Google, call mom, yes ... Hold the tourniquet tight while I find the vein."