Attacked by light - Vulnerabilities in MEMS microphones

[lewdicrous]

  Researchers at the University of Michigan & the University of Electro-Communications found a way to exploit microphones inside smart hubs by using lasers.

Quote

The “light commands” attack exploits a design flaw in the smart assistants microelectro-mechanical systems (MEMS) microphones. MEMS microphones convert voice commands into electrical signals, but researchers demonstrated that they can also react to laser light beams.

Quote

Light Commands was discovered this year in May. It allows attackers to remotely inject inaudible and invisible commands into voice assistants, such as Google assistant, Amazon Alexa, Facebook Portal, and Apple Siri using light. This vulnerability can become more dangerous as voice-control devices gain more popularity.

They were able to use their lasers on smart assistants from Google, Amazon, Apple, as well as others.

Some products required authentication, some of them don't have a limit to how many pass codes you can try, while other products, like Apple devices (Siri) would require you to unlock your phone in order to let the command go through.

 

Ways to mitigate this sort of attack:

Quote

Researchers suggested to set up a PIN or a security question before executing the commands.

By applying physical barriers, you can restrict light waves reaching the devices.

 

Sources:

Spoiler

https://securityaffairs.co/wordpress/93429/hacking/light-commands-attack-voice-assistants.html

https://gbhackers.com/light-commands-hack/

https://hub.packtpub.com/researchers-reveal-light-commands-laser-based-audio-injection-attacks-on-voice-control-devices-like-alexa-siri-and-google-assistant/

Original paper:

Spoiler

https://lightcommands.com/20191104-Light-Commands.pdf

Site related to paper:

https://lightcommands.com/

Related video by SmarterEveryDay:

Spoiler

 

 

Thoughts:

This might make some people, especially government officials or company executives, reconsider getting devices that are vulnerable to this kind of attack, at least until the manufacturers find a way to fix it, both in terms of hardware (making it difficult for the lasers to see the MEMS units) and software (adding extra precautions/authentication processes).

[rcmaehl]

Some additional info from my November thread:

 

 

I'll have to read your sources to see what all has changed

[lewdicrous]

2 minutes ago, rcmaehl said:

- Snip -

I tried searching for a tech news thread on this subject, but I didn't find one, that's why I made this.. My bad.

 

I guess the new thing here would be the SmarterEveryDay video.

[rcmaehl]

9 minutes ago, lewdicrous said:

I tried searching for a tech news thread on this subject, but I didn't find one, that's why I made this.. My bad.

 

I guess the new thing here would be the SmarterEveryDay video.

Forum search function sucks and there's new info so it's fine. I'll definitely be checking out the video