Just when you think you've seen it all . . . hat tip to Gregory Bufithis who pointed out that researchers have discovered that a series of distorted voice commands surreptitiously hidden in YouTube videos can force unprotected Android or iOS smartphones to carry out malicious operations. Controlling smartphones with voice commands was done last year, when two security researchers from French agency ANSSI used radio waves to send hidden commands to handsets running Siri or Google Now. That attack was possible only if the phone had its headphones plugged in.
Now, a team of seven researchers from the University of California, Berkeley, and Georgetown University have devised a variation of this attack that uses mangled voice commands hidden in YouTube videos. A user can view the video from their PC, laptop, smart TV, tablet, or another smartphone. Once the target mobile picks up the mangled voices, the sound filtering features included with Siri or Google Now will clean out the sounds and execute the commands.
Researchers have recorded a video of their attack which shows that some of the mangled voice commands are easy to discern by a human paying enough attention, but some of the commands are not (the white-box model). There are ways to stop the attack, but it can also execute before the phone owner understands what is happening. The type of hidden commands embedded in such videos can be as innocent as ordering a simple Google search to instructions to download and install malware, eventually allowing the attacker to take full control of the device.
Researchers argue that a series of defenses can be put in place, such as notifying the user when voice commands are accepted or by adding a verbal challenge-response system.
There are a number of such videos available, but note well, disable your phone's voice commands input before viewing them!
E-mail: firstname.lastname@example.org Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology