Watch Out, Demonic Hidden Voice Commands Could Hijack Your Phone
Your device could be possessed and you wouldn't even know it, security researchers show
Demonic sounds are usually related to evil spirits, but researchers have found a way to turn them into “hidden voice commands” for Android devices.
A group of Ph.D. candidates at Georgetown and University of California, Berkeley developed a series of voice commands that can be recognized and executed by smartphone virtual assistants, but not very easily by human ears.
Some of the things these hidden commands can potentially do include sending a tweet, making a phone call, or even using Venmo to transfer money. Or, in a cyberattack scenario, a hidden command could open a website that automatically downloads malware, which then leads to hackers having full control of your device.
To the human ear, these audio clips are audible but sound like random, static noise. The hidden voice commands start out as a human recording, but then they’re processed and masked in order to sound like complete gibberish — so they’re actually not all that hidden.
If you listen to the recordings with knowledge of what the actual message is, you could unconsciously “hear” that message in the noise. But if you’re walking around in a normal day and hear it, you won’t think twice.
Yet, the researchers said people listening to the command of “Okay, Google” were able to understand it about 20 percent of the time. Google on the other hand, was able to understand and execute the command 95 percent of the time. Researchers also used the command “Turn on airplane mode,” but the results were less accurate. That second command just sounds like a recording of a possessed person in a horror movie.
For the commands to work, the Android device has to be within a 10-feet radius. However, there is one distance exception, and that can be a hidden message hidden in YouTube videos or TV/radio broadcasts. Imagine watching a cute cat video with a hidden message, and your phone might automatically tweet about it or place a purchase.
A similar situation occurred earlier this month when a child accidentally ordered a $150 doll house from Amazon by simply asking Amazon’s Alexa, “Can you play dollhouse with me and get me a dollhouse?” Later that week, a San Diego news station picked up the story, and when the anchor said “Alexa ordered me a dollhouse,” people with Amazon Echo devices watching the newscast reported their device also placed an order.
Though this is just a research project for now, having hidden demon voices control your electronics is quite terrifying on different levels. But it could also be avoided by simply turning off intelligent voice assistant like OK Google, Siri, Cortana, and Alexa.
There is another security measure that many of these voice assistants have, which is that it confirms your command before executing, but the researchers behind the study said that can be defeated. Siri and OK Google ask you to confirm commands by simply replying with “yes” or “okay” once it reads back your command. So, all hackers would have to do is time the seconds between the command and confirmation and voice assistant would continue with the execution.
The researchers had their fun exploiting the Google assistant, but they also took the time to develop a solution to the problem by evaluating “several defenses,” including notifying the user when a voice command is accepted. Another idea would be a program that recognizes if the command is coming from a human or another device.
So next time you hear demonic voices, don’t worry you’re not going crazy, it might be a cyberattacker trying to hijack your phone.