Security News > 2023 > April > Hey Siri, use this ultrasound attack to disarm a smart-home system

Academics in the US have developed an attack dubbed NUIT, for Near-Ultrasound Inaudible Trojan, that exploits vulnerabilities in smart device microphones and voice assistants to silently and remotely access smart phones and home devices.

In an interview with The Register this month, Chen and Xia demonstrated two separate NUIT attacks: NUIT-1, which emits sounds to exploit a victim's smart speaker to attack the same victim's microphone and voice assistant on the same device, and NUIT-2, which exploits a victim's speaker to attack the same victim's microphone and voice assistant on a different device.

The second instruction - "Open the door" - is the attack payload that uses Siri's voice to open the victim's door, assuming it's connected to home automation systems driven by Siri.

In a NUIT-2 attack, the attacker exploits the speaker on one device to attack the microphone and associated voice assistant of a second device.

An attacker could use this scenario during Zooms meeting, for example: if an attendee unmutes themself, and their phone is placed next to their computer, an attacker could use an embedded attack signal to attack that attendees phone.

Amazon's fist-generation Echo Dot also fell victim to inaudible attack signals, but survived a silent response attack.

News URL

https://go.theregister.com/feed/www.theregister.com/2023/04/04/siri_alexa_cortana_google_nuit/