A group of researchers from Georgetown University and UC Berkeley have demonstrated how voice commands hidden in YouTube videos can be used by malicious attackers to compromise smartphones. The attack works against phones that have the Google Now, or Apple Siri voice command feature turned on. The researchers demonstrated that verbally obfuscated voice commands that sound unintelligible to human listeners can be embedded in videos and interpreted as commands by smartphones. The infected video can be from any source that plays out loud within detection range of the smartphone. Sources tested include a laptop, a computer, a smart TV, another smartphone, a tablet, or even a speakerphone as demonstrated in this video. The attack will even work with background noise. The video demonstrates the use of a mechanical voice, translating written commands, through a speakerphone ten feet from a phone that has the “OK, Google” voice command feature enabled. More details about the attack and possible defenses can be found in this paper, and more attack demos can be found on this site. Even more information can be found in this article here by Help Net Security, or even more-more information can be found from our Sophos friends here.
You can turn off the “OK, Google” feature by following these steps:
- Open the Google app.
- In the top left corner of the page, touch the Menu icon.
- Tap Settings > Voice > “OK Google” Detection.
- From here, you can disable your phone to listen when you say “OK Google”.
You can disable Siri using these steps:
- Open the Settings app in iOS and go to “General”
- Tap on “Siri” and near the top of the screen, toggle the switch next to “Siri” to the OFF position.
- Confirm that you wish to disable Siri completely by tapping on “Turn Off Siri”
- Exit out of Settings
These features come automatically enabled on most smartphones, so please check yours and warn your clients.