Researchers hack Siri and Google Assistant using ultrasonic waves
What’s even more alarming is that a similar vulnerability was discovered almost 3 years ago by a team from Zhejiang University. Using only simple, 3$ worth of additional hardware, the Chinese scientists were able to translate voice commands to ultrasound and activate Siri and Alexa on various devices, calling the vulnerability DolphinAttack (after dolphins using ultrasound for navigation). The team from Michigan used a piezoelectric element instead (converting electricity to ultrasound), but the basic principle remains the same. These ultrasonic waves can be sent through hard surfaces like metal, wood or glass at distances up to 30 feet. The new method is dubbed “SurfingAtttack”.
This unpatched vulnerability can easily let hackers send different commands to your phone and make it do… well, bad things. They can use Siri to call your friends, steal your 2FA codes, cancel meetings or in theory even ask for money. If your phone is locked though, and you use a fingerprint or a FaceID for authentication, things become less dramatic. Researchers have tested the SurfingAttack hack with 17 phone models and 15 of them proved susceptible. Among them were four iPhones; the 5, 5s, 6 and X; the first three Google Pixels; the Samsung Galaxy S7 and S9.
It’s really strange that manufacturers left this door open for so long, but there’s an easy way to protect yourself against SurferAttack - according to the scientists, simply putting a soft material under your phone when you place it on hard surfaces in public will protect it from malicious ultrasonic influence.