TECHNOLOGY

Researchers used a laser to hack Alexa and other voice assistants

Nov 5, 2019, 10:05 AM
google smart speaker alarm...
A Google Home smart speaker sits on a kitchen counter in a photo taken on January 9, 2019. Full credit: Olly Curtis/Future via Getty Images

(CNN) — Usually you have to talk to voice assistants to get them to do what you want. But a group of researchers determined they can also command them by shining a laser at smart speakers and other gadgets that house virtual helpers such as Amazon’s Alexa, Apple’s Siri and Google’s Assistant.

Researchers at the University of Michigan and Japan’s University of Electro-Communications figured out they could do this silently and from hundreds of feet away, as long as they had a line of sight to the smart gadget. The finding could enable anyone (with motivation and a few hundred dollars’ worth of electronics) to attack a smart speaker from outside your house, making it do anything from playing music to opening a smart garage door to buying you stuff on Amazon.

In a new paper, the researchers explained that they were able to shine a light that had a command encoded in it (such as “OK Google, open the garage door”) at a microphone built into a smart speaker. The sounds of each command were encoded in the intensity of a light beam, Daniel Genkin, a paper coauthor and assistant professor at the University of Michigan, told CNN Business on Monday. The light would hit the diaphragm built into the smart speaker’s microphone, causing it to vibrate in the same way as if someone had spoken that command.

The researchers exploited the vulnerability in tests to do things like trigger a smart garage door opener and ask what time it is.

A list of devices that the researchers tested and said are vulnerable to such light commands includes Google Home, Google Nest Cam IQ, multiple Amazon Echo, Echo Dot, and Echo Show devices, Facebook’s Portal Mini, the iPhone XR, and the sixth-generation iPad. Smart speakers typically don’t come with any user authentication features turned on by default; the Apple devices are among a few exceptions that required the researchers to come up with a way to work around this privacy setting.

The findings could concern consumers, as well as the companies that offer voice assistants. Over the past five years, the market for assistant-using smart speakers — Amazon’s Alexa and its Echo smart speakers in particular — has ballooned. According to data from tech market researcher Canalys, companies shipped 26.1 million smart speakers in the second quarter. Amazon is sitting on top of this market: Canalys reports Amazon shipped a quarter of these speakers, or an estimated 6.6 million between April and June.

The cost for anyone to do likewise could be less than $400: On a website related to the work, researchers outline the equipment needed, which includes an under-$20 laser pointer, a $339 laser driver, and a $28 sound amplifier.

“If you have a laser that can shine through windows and across long distances — without even alerting anyone in the house that you’re hitting the smart speaker — there’s a big threat in being able to do things a smart speaker can do without permission of the owner,” said Benjamin Cyr, a graduate student at the University of Michigan and a paper coauthor.

Researchers said the Google Home device and first-generation Echo Plus could be commanded over the longest distance: 110 meters (about 361 feet). The researchers said that distance was the longest area they could use (a hallway) when conducting tests.

The researchers noted that they haven’t seen this security issue being taken advantage of. One way to avoid any potential issues, though, is to make sure your smart speaker can’t be seen by anyone outside your home.

Researchers said the weakness can’t truly be fixed without redesigning the microphones, known as MEMS microphones, that are built into these devices, however, which would be a lot more complicated. Takeshi Sugawara, a visiting scholar at the University of Michigan and the paper’s lead author, said one way to do this would be to create an obstacle that would block a straight line of sight to the microphone’s diaphragm.

Gekin said he contacted Google, Apple, Amazon and other companies to address the security issue.

A Google spokesperson said the company is closely reviewing the research. Apple declined to comment. Amazon did not respond to a request for comment at the time of publication.

The-CNN-Wire
™ & © 2019 Cable News Network, Inc., a WarnerMedia Company. All rights reserved.

Today’s Top Stories

Technology

space radio...
Elizabeth Weiler

USU making history with a radio entering the lunar orbit

LOGAN, Utah — Utah State University has made history by being the first laboratory to successfully send a a radio, created by Utah State University’s Space Dynamics Laboratory (SDL) into the orbit of earths moon.  The deep space radio named Iris, named after the Greek mythological goddess, daughter of Thaumas and Electra and messenger of the gods, made its […]
14 hours ago
In this image provided by NASA, the Earth and its moon are seen from NASA's Orion spacecraft on Mon...
Jackie Wattles, CNN

NASA’s Orion reaches record-breaking distance from Earth

NASA confirmed that Orion had reached the midpoint of its uncrewed mission around the moon — about 270,000 miles (434,523 kilometers) from Earth.
2 days ago
Former US President Donald Trump's Twitter account has been reinstated on the platform....
Clare Duffy and Paul LeBlanc, CNN

Elon Musk restores Donald Trump’s Twitter account

Former US President Donald Trump's Twitter account has been reinstated on the platform.
12 days ago
With employees with the company, the future of Twitter is in uncertain. Photo credit: Justin Sulliv...
Oliver Darcy, CNN Business

Inside Twitter as ‘mass exodus’ of staffers throws platform’s future into uncertainty

With employees leaving the company, the future of Twitter is uncertain.
13 days ago
NASA's Space Launch System (SLS) rocket with the Orion spacecraft aboard is seen on Nov. 12 at NASA...
Jackie Wattles, CNN

Historic moon mission troubleshoots fuel leak issue hours before launch

The Artemis I mission to the moon could finally take place this week.
16 days ago
FILE - A Tesla owner charges his vehicle at a charging station in Topeka, Kan., Monday, April 5, 20...
Peter Valdes-Dapena, CNN Business

Tesla officially makes its charging standard available to other companies

Tesla has invited other automakers to build cars with charging ports that can work with Tesla's charging format and for other charging companies to add Tesla-style plugs to their chargers.
19 days ago

Sponsored Articles

Happy joyful smiling casual satisfied woman learning and communicates in sign language online using...
Sorenson

The best tools for Deaf and hard-of-hearing workplace success

Here are some of the best resources to make your workplace work better for Deaf and hard-of-hearing employees.
Team supporters celebrating at a tailgate party...
Macey's

8 Delicious Tailgate Foods That Require Zero Prep Work

In a hurry? These 8 tailgate foods take zero prep work, so you can fuel up and get back to what matters most: getting hyped for your favorite
christmas decorations candles in glass jars with fir on a old wooden table...
Western Nut Company

12 Mason Jar Gift Ideas for the 12 Days of Christmas [with recipes!]

There are so many clever mason jar gift ideas to give something thoughtful to your neighbors or friends. Read our 12 ideas to make your own!
wide shot of Bear Lake with a person on a stand up paddle board...

Pack your bags! Extended stays at Bear Lake await you

Work from here! Read our tips to prepare for your extended stay, whether at Bear Lake or somewhere else nearby.
young boy with hearing aid...
Sorenson

Accommodations for students who are deaf and hard of hearing

These different types of accommodations for students who are deaf and hard of hearing can help them succeed in school.
Young woman receiving laser treatment...
Form Derm Spa

How facial plastic surgery and skincare are joining forces

Facial plastic surgery is not only about looking good but about feeling good too. The medical team at Form Spa are trained to help you reach your aesthetic outcomes through surgery and through skincare and dermatology, too.
Researchers used a laser to hack Alexa and other voice assistants