Mr. Sebastian, you'll notice all the Assistants have laser beams aimed at their heads - Siri, Alexa, Google Home can be silently controlled by lasers

[rcmaehl]

Sources:
Ars Technica (Quote & Media Source)
New York Times

University of Michigan White Paper
 

Summary:
All three popular assistants, as well as some phones, can be controlled over a long distance via, optionally invisible, laser light over distances greater than 110 meters (360 feet). All companies are aware of the attack and are working on fixes.

 

Media (4 video playlist!):

 

Quotes/Excerpts:

Quote

Siri, Alexa, and Google Assistant are vulnerable to attacks that use lasers to inject inaudible, and sometimes invisible, commands into the devices [to]  unlock doors, visit websites, and locate, unlock, and start vehicles. Dubbed Light Commands, the attack works against Facebook Portal and a variety of phones. Shining a low-powered laser into these voice-activated systems allows attackers to inject commands of their choice from as far away as 360 feet (110m). The attack can frequently be carried out without the need of a password or PIN. Among other things, light-based commands can be sent from one building to another and penetrate glass when a vulnerable device is kept near a closed window. The attack exploits a vulnerability in microphones that use micro-electro-mechanical systems, or MEMS. The microscopic MEMS components of these microphones unintentionally respond to light as if it were sound. The laser-based attacks have several limitations. For one, the attacker must have direct line of sight to the targeted device. And for another, the light in many cases must be precisely aimed at a very specific part of the microphone. Except in cases where an attacker uses an infrared laser, the lights are also easy to see by someone who is close. What’s more, devices typically respond with voice and visual cues when executing a command, a feature that would alert users within earshot of the device. The findings are important for a host of reasons. Not only does the research present a novel mode of attack against voice-controllable, or VC, systems, it also shows how to carry out the attacks in semi-realistic environments. Additionally, the researchers still don’t fully understand the physics behind their exploit. A better understanding in the coming years may yield more effective attacks. “We find that VC systems are often lacking user authentication mechanisms, or if the mechanisms are present, they are incorrectly implemented (e.g., allowing for PIN bruteforcing),” The paper describes different setups used to carry out the attacks. The paper describes different setups used to carry out the attacks. One is composed of a simple laser pointer ($18 for three), a laser driver ($339), and a audio amplifier ($27.99). The setup can use an optional 650-1300mm telephoto lens ($199.95) to focus the laser for long-range attacks. Another setup used an infrared laser that’s invisible to the human eye, and a third setup relied on an 500 lumens laser-excited phosphor flashlight to eliminate the requirement to precisely aim a light on a specific part of a MEMS microphone. One of the researchers’ attacks successfully injected a command through a glass window 230 feet away. In a different experiment, the researchers used a telephoto lens to focus the laser to successfully attack a VC device 360 feet away. The distance was the maximum allowed in the test environment, raising the possibility that longer distances are possible.

 

My Thoughts:

<Spiderman neat.gif>. Welp, time to move the voice assistant away from the bedroom window. It's definitely interesting to see devices attacked in unsuspecting ways. While this attack is a bit expensive at ~$500 that is still a very low price of entry considering how much people integrate their other hardware (e.g. Teslas) into their smart eco systems. Regardless, if you're pissed at your neighbors, here's a way to lower the temperature of nest thermostat from across the road while they're not home at the very least.

[Lurick]

I knew it!

Sharks with lazer beams will be the downfall of humanity still

[Bacon soup]

This is how they took down Bin Laden

[jiyeon]

Another reason why I can't trust smart home devices, again.

 

There's so much vulnerabilities around smart home devices that I probably wouldn't be able to sleep if I had a Google Home even in my living room.

[Salv8 (sam)]

23 minutes ago, sowon said:

Another reason why I can't trust smart home devices, again.

agreed, these days it's impossible to stay away from IOT since businesses use them (security cams being the most common form, hell getting a security system without IOT is impossible since it always must be online, always watching, always there...)

i will NEVER, EVER let one into my house and my network.

my parents wanted to get that facebook portal thing and i said no, because a, it's a privacy nightmare and b.

i would disconnect it, destroy it, then delete the account connected to it.

[Harry Voyager]

Washing machines are such horrible gossips too. 

[desertcomputer]

1 hour ago, Salv8 (sam) said:

agreed, these days it's impossible to stay away from IOT since businesses use them (security cams being the most common form, hell getting a security system without IOT is impossible since it always must be online, always watching, always there...)

i will NEVER, EVER let one into my house and my network.

my parents wanted to get that facebook portal thing and i said no, because a, it's a privacy nightmare and b.

i would disconnect it, destroy it, then delete the account connected to it.

If a IOT device cannot operate without internet access after initial setup then it automated no for me.

 

You can create your own security camera system with automated backup to encrypted locally and sent to the cloud. It not impossible, you just would have setup VLANs/routing rules to block internet access to these devices. Mainstream devices = no.

[Salv8 (sam)]

54 minutes ago, huilun02 said:

-snip-

ok, lets break this down

the most common security solution is made by a business called ADT (https://www.adt.com/) it's very common for a home to be protected with their services

notice one thing?

it's all online, even the traditional service.

the latest models require a internet connection and an account to be fully operational (like notifying you and police that your house has been broken into)

it's extremely hard to find a traditional hardwired CCTV system because why lay new lines, when you can just use a network to do that same purpose.

it's cheaper, easier to manage, but you lose the ability to keep it offline and out of the hands of those who could use it for nefarious purposes.

and this leads us into the next quote:

1 hour ago, desertcomputer said:

-snip-

if you are a business (or someone with knowledge of networking equipment) this is possible, but not everyone can do this, you can setup another network for it but for most consumers this can overwhelm them and they won't do it.

and even with a Vlan, it's still possible to get around it, my fav example is when TAFE queensland held a hacking contest for IT students, anyone could enter and win.

the problem was TAFE didn't isolated it enough and the students found their way into the TAFE network and screwed it up, TAFE went down for twos days while their IT staff fixed the network, no-one could use the internet, local or network resources (their computers require the servers to be up otherwise they stop functioning)

[Beskamir]

Wow this is cool! I didn't know you could do that to a mic.

[williamcll]

Perhaps gestures are the future of home automation, not voice.

[rcmaehl]

54 minutes ago, williamcll said:

Perhaps gestures are the future of home automation, not voice.

*Aggressively Macarenas at home assistant*

[mr moose]

A laser needs to be powerful enough to melt hardened steel to unlock my front door.    I think I might have big issues if someone comes around with one of those.

[Master Disaster]

1 hour ago, mr moose said:

A laser needs to be powerful enough to melt hardened steel to unlock my front door.    I think I might have big issues if someone comes around with one of those.

Yeah, like the local power grid going offline because they plugged the laser in and sucked up 1.21GW in one go.

[mr moose]

18 minutes ago, Master Disaster said:

Yeah, like the local power grid going offline because they plugged the laser in and sucked up 1.21GW in one go.

1.21 JIGGAWATTS!!!!!  WHAT WAS I THINKING?

[Kroon]

6 hours ago, Master Disaster said:

Yeah, like the local power grid going offline because they plugged the laser in and sucked up 1.21GW in one go.

Then it would be better to wait on a sunny day and use parts from an old monitor (Fresnel lens) 

[orbitalbuzzsaw]

Well then, time to keep my Homes unplugged when I sleep

[Lady Fitzgerald]

15 hours ago, Salv8 (sam) said:

...getting a security system without IOT is impossible...

No, it's not impossible. Closed, hardwired systems still work just fine. Of course, you will not access them remotely but, then again, if you can access a system remotely, hackers probably also can. The other downside is the expense and difficulty of running the cables for a hardwired system (both of which can be reduced considerably if the wiring is done during building construction of the building).

 

Currently, the huge problems with IOT systems are poor security (with no options to beef it up like one can do with computers), a lack of standardization (parts for one brand will not work with other brands), and dependence on the parent company to be able to work (which can cause a system to stop working if the parent company discontinues the system, which has happened already in at least two cases).

[xARACHN1D]

17 hours ago, rcmaehl said:

Sources:
Ars Technica (Quote & Media Source)
New York Times

University of Michigan White Paper
 

Summary:
All three popular assistants, as well as some phones, can be controlled over a long distance via, optionally invisible, laser light over distances greater than 110 meters (360 feet). All companies are aware of the attack and are working on fixes.

 

Media (4 video playlist!):

 

Quotes/Excerpts:

 

My Thoughts:

<Spiderman neat.gif>. Welp, time to move the voice assistant away from the bedroom window. It's definitely interesting to see devices attacked in unsuspecting ways. While this attack is a bit expensive at ~$500 that is still a very low price of entry considering how much people integrate their other hardware (e.g. Teslas) into their smart eco systems. Regardless, if you're pissed at your neighbors, here's a way to lower the temperature of nest thermostat from across the road while they're not home at the very least.

Yes, But the thing is, to even do this you need a TON of specialized equipment. It wouldn't even be worth it...

[Lady Fitzgerald]

4 minutes ago, xARACHN1D said:

Yes, But the thing is, to even do this you need a TON of specialized equipment. It wouldn't even be worth it...

True that, especially since there are far easier ways to hack in. I've stopped using Wi-Fi altogether because of the security risk. While measures can be taken to avoid Wi-Fi intrusions, it's a constant battle since hackers keep finding new ways in. Routing the ethernet cables through my house was a chore but, unless I need a new access point, it was a one-time chore I don't have to fool around with anymore.

[xARACHN1D]

1 minute ago, Lady Fitzgerald said:

True that, especially since there are far easier ways to hack in. I've stopped using Wi-Fi altogether because of the security risk. While measures can be taken to avoid Wi-Fi intrusions, it's a constant battle since hackers keep finding new ways in. Routing the ethernet cables through my house was a chore but, unless I need a new access point, it was a one-time chore I don't have to fool around with anymore.

You ma'am, are a smart lady. Ethernet is the way to go anyway. Higher speeds too.

[Commodus]

It's a security issue that should be addressed, but at the same time: if someone is close enough that they can point a laser at your smart speaker's mics to trigger commands, you have greater worries than whether or not they're taking control of your Echo or Home.  That is, they're probably in your home or otherwise have a clear line of sight to your speaker.

[rcmaehl]

Just now, Commodus said:

That is, they're probably in your home or otherwise have a clear line of sight to your speaker.

360 meters was the max distance tested (due to college hallway length limitations). It's likely to work at long distances but has been untested so far

[vorticalbox]

For more details on this attack

 

https://lightcommands.com/

[Guest]

15 hours ago, williamcll said:

Perhaps gestures are the future of home automation, not voice.

Clapping lights are still really cool 

[Commodus]

5 hours ago, rcmaehl said:

360 meters was the max distance tested (due to college hallway length limitations). It's likely to work at long distances but has been untested so far

Oh, I know, but what's the likelihood that you'll have an unobstructed view of a speaker from that far away?  It's like playing darts, only the dartboard is on the other side of the street... and you're not sure if you'll even see the board when you lean out of  the window to take aim.  It's important to patch this, but the real-world likelihood of an exploit is tiny compared to conventional risks.