So there you are, sitting inside an Arby's because they've got the meats. With your phone on the table, you're shocked when it starts taking selfies without you touching the handset or even saying one word to it. Then, the device makes a phone call to one of your contacts all by itself. Have evil spirits taken over your handset? Actually, it is the work of something more eviler-hackers.
"SurfingAttack" can control a phone's digital assistant under certain conditions
According to a team of academic researchers (via Tom's Guide), a hacker can send inaudible vibrations through a tabletop from 30 feet away and control the digital assistant on your Android or iOS phone. Called "SurfingAttack," the researchers wrote on their website that "SurfingAttack exploits ultrasonic guided wave propagating through solid-material tables to attack voice control systems. By leveraging the unique properties of acoustic transmission in solid materials, we design a new attack called SurfingAttack that would enable multiple rounds of interactions between the voice-controlled device and the attacker over a longer distance and without the need to be in line-of-sight. By completing the interaction loop of inaudible sound attack, SurfingAttack enables new attack scenarios, such as hijacking a mobile Short Message Service (SMS) passcode, making ghost fraud calls without owners' knowledge, etc.
Using the attack, hackers will be able to make fraud calls with your phone, steal two-factor authorization codes sent through SMS, interact with your device through Google Assistant or Siri and create even more havoc. And since the vibrations are inaudible, you will never know that your handset is under attack unless you keep an eye on your phone when it is placed on a table. Besides keeping an eye on your phone, other suggestions to stop such an attack from taking place include the use of thick phone cases made from wood, disabling the voice assistant on your phone on the lock screen, and locking the device when you put it down. You might also consider putting a soft woven fabric on top of a table to put your device on.
If you own an Android phone, you should disable lock screen personal results. To do this, open Google Assistant and tap on the compass icon at the bottom right of the screen. Next, tap on the avatar at the upper right of the display and select settings. Go to Assistant > Assistant Devices > Phone and toggle off Lock screen personal results.
Keep in mind that the technology used to create the vibrations is hidden on the table where the victim phone lies. The researchers found that the attack works best on tables made of three different materials such as aluminum/steel, glass, and medium-density fiberboard (MDF). Steel tables carry the vibrations the farthest, a distance of up to 30 feet.
Back in 2017, we told you about a hack called "DolphinAttack" that could use a speaker and a simple amp. Somewhat similar to the theory that makes "Surfing Attack" work, "DolphinAttack" takes spoken commands meant for a digital assistant and converts them to ultrasonic soundwaves that humans can't hear. The assistants react to the soundwaves and respond accordingly. The range of this attack is limited to 25 feet.
The researchers were able to use "SurfingAttack" on the following phones: