Posted November 4, 2019 Sources:Ars Technica (Quote & Media Source)New York Times University of Michigan White Paper Summary: All three popular assistants, as well as some phones, can be controlled over a long distance via, optionally invisible, laser light over distances greater than 110 meters (360 feet). All companies are aware of the attack and are working on fixes. Media (4 video playlist!): Quotes/Excerpts: Quote Siri, Alexa, and Google Assistant are vulnerable to attacks that use lasers to inject inaudible, and sometimes invisible, commands into the devices [to] unlock doors, visit websites, and locate, unlock, and start vehicles. Dubbed Light Commands, the attack works against Facebook Portal and a variety of phones. Shining a low-powered laser into these voice-activated systems allows attackers to inject commands of their choice from as far away as 360 feet (110m). The attack can frequently be carried out without the need of a password or PIN. Among other things, light-based commands can be sent from one building to another and penetrate glass when a vulnerable device is kept near a closed window. The attack exploits a vulnerability in microphones that use micro-electro-mechanical systems, or MEMS. The microscopic MEMS components of these microphones unintentionally respond to light as if it were sound. The laser-based attacks have several limitations. For one, the attacker must have direct line of sight to the targeted device. And for another, the light in many cases must be precisely aimed at a very specific part of the microphone. Except in cases where an attacker uses an infrared laser, the lights are also easy to see by someone who is close. What’s more, devices typically respond with voice and visual cues when executing a command, a feature that would alert users within earshot of the device. The findings are important for a host of reasons. Not only does the research present a novel mode of attack against voice-controllable, or VC, systems, it also shows how to carry out the attacks in semi-realistic environments. Additionally, the researchers still don’t fully understand the physics behind their exploit. A better understanding in the coming years may yield more effective attacks. “We find that VC systems are often lacking user authentication mechanisms, or if the mechanisms are present, they are incorrectly implemented (e.g., allowing for PIN bruteforcing),” The paper describes different setups used to carry out the attacks. The paper describes different setups used to carry out the attacks. One is composed of a simple laser pointer ($18 for three), a laser driver ($339), and a audio amplifier ($27.99). The setup can use an optional 650-1300mm telephoto lens ($199.95) to focus the laser for long-range attacks. Another setup used an infrared laser that’s invisible to the human eye, and a third setup relied on an 500 lumens laser-excited phosphor flashlight to eliminate the requirement to precisely aim a light on a specific part of a MEMS microphone. One of the researchers’ attacks successfully injected a command through a glass window 230 feet away. In a different experiment, the researchers used a telephoto lens to focus the laser to successfully attack a VC device 360 feet away. The distance was the maximum allowed in the test environment, raising the possibility that longer distances are possible. My Thoughts: <Spiderman neat.gif>. Welp, time to move the voice assistant away from the bedroom window. It's definitely interesting to see devices attacked in unsuspecting ways. While this attack is a bit expensive at ~$500 that is still a very low price of entry considering how much people integrate their other hardware (e.g. Teslas) into their smart eco systems. Regardless, if you're pissed at your neighbors, here's a way to lower the temperature of nest thermostat from across the road while they're not home at the very least. PLEASE QUOTE ME IF YOU ARE REPLYING TO ME Desktop Build: Ryzen 7 2700X @ 4.0GHz, AsRock Fatal1ty X370 Professional Gaming, 48GB Corsair DDR4 @ 3000MHz, RX5700 XT 8GB Sapphire Nitro+, Benq XL2730 1440p 144Hz FS Retro Build: Intel Pentium III @ 500 MHz, Dell Optiplex G1 Full AT Tower, 768MB SDRAM @ 133MHz, Integrated Graphics, Generic 1024x768 60Hz Monitor Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted November 4, 2019 I knew it! Sharks with lazer beams will be the downfall of humanity still Current Network Layout: Current Build Log/PC: Prior Build Log/PC: Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted November 4, 2019 This is how they took down Bin Laden Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted November 4, 2019 Another reason why I can't trust smart home devices, again. There's so much vulnerabilities around smart home devices that I probably wouldn't be able to sleep if I had a Google Home even in my living room. mechanical keyboard switches aficionado & hi-fi audio enthusiast switch reviews • how i lube mx-style keyboard switches Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted November 4, 2019 23 minutes ago, sowon said: Another reason why I can't trust smart home devices, again. agreed, these days it's impossible to stay away from IOT since businesses use them (security cams being the most common form, hell getting a security system without IOT is impossible since it always must be online, always watching, always there...) i will NEVER, EVER let one into my house and my network. my parents wanted to get that facebook portal thing and i said no, because a, it's a privacy nightmare and b. i would disconnect it, destroy it, then delete the account connected to it. *Insert Witty Signature here* System Config: https://au.pcpartpicker.com/list/Tncs9N Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted November 4, 2019 Washing machines are such horrible gossips too. Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted November 5, 2019 1 hour ago, Salv8 (sam) said: agreed, these days it's impossible to stay away from IOT since businesses use them (security cams being the most common form, hell getting a security system without IOT is impossible since it always must be online, always watching, always there...) i will NEVER, EVER let one into my house and my network. my parents wanted to get that facebook portal thing and i said no, because a, it's a privacy nightmare and b. i would disconnect it, destroy it, then delete the account connected to it. If a IOT device cannot operate without internet access after initial setup then it automated no for me. You can create your own security camera system with automated backup to encrypted locally and sent to the cloud. It not impossible, you just would have setup VLANs/routing rules to block internet access to these devices. Mainstream devices = no. Magical Pineapples