TECHNOLOGY

Researchers used a laser to hack Alexa and other voice assistants

Nov 5, 2019, 10:05 AM
google smart speaker alarm...
A Google Home smart speaker sits on a kitchen counter in a photo taken on January 9, 2019. Full credit: Olly Curtis/Future via Getty Images

(CNN) — Usually you have to talk to voice assistants to get them to do what you want. But a group of researchers determined they can also command them by shining a laser at smart speakers and other gadgets that house virtual helpers such as Amazon’s Alexa, Apple’s Siri and Google’s Assistant.

Researchers at the University of Michigan and Japan’s University of Electro-Communications figured out they could do this silently and from hundreds of feet away, as long as they had a line of sight to the smart gadget. The finding could enable anyone (with motivation and a few hundred dollars’ worth of electronics) to attack a smart speaker from outside your house, making it do anything from playing music to opening a smart garage door to buying you stuff on Amazon.

In a new paper, the researchers explained that they were able to shine a light that had a command encoded in it (such as “OK Google, open the garage door”) at a microphone built into a smart speaker. The sounds of each command were encoded in the intensity of a light beam, Daniel Genkin, a paper coauthor and assistant professor at the University of Michigan, told CNN Business on Monday. The light would hit the diaphragm built into the smart speaker’s microphone, causing it to vibrate in the same way as if someone had spoken that command.

The researchers exploited the vulnerability in tests to do things like trigger a smart garage door opener and ask what time it is.

A list of devices that the researchers tested and said are vulnerable to such light commands includes Google Home, Google Nest Cam IQ, multiple Amazon Echo, Echo Dot, and Echo Show devices, Facebook’s Portal Mini, the iPhone XR, and the sixth-generation iPad. Smart speakers typically don’t come with any user authentication features turned on by default; the Apple devices are among a few exceptions that required the researchers to come up with a way to work around this privacy setting.

The findings could concern consumers, as well as the companies that offer voice assistants. Over the past five years, the market for assistant-using smart speakers — Amazon’s Alexa and its Echo smart speakers in particular — has ballooned. According to data from tech market researcher Canalys, companies shipped 26.1 million smart speakers in the second quarter. Amazon is sitting on top of this market: Canalys reports Amazon shipped a quarter of these speakers, or an estimated 6.6 million between April and June.

The cost for anyone to do likewise could be less than $400: On a website related to the work, researchers outline the equipment needed, which includes an under-$20 laser pointer, a $339 laser driver, and a $28 sound amplifier.

“If you have a laser that can shine through windows and across long distances — without even alerting anyone in the house that you’re hitting the smart speaker — there’s a big threat in being able to do things a smart speaker can do without permission of the owner,” said Benjamin Cyr, a graduate student at the University of Michigan and a paper coauthor.

Researchers said the Google Home device and first-generation Echo Plus could be commanded over the longest distance: 110 meters (about 361 feet). The researchers said that distance was the longest area they could use (a hallway) when conducting tests.

The researchers noted that they haven’t seen this security issue being taken advantage of. One way to avoid any potential issues, though, is to make sure your smart speaker can’t be seen by anyone outside your home.

Researchers said the weakness can’t truly be fixed without redesigning the microphones, known as MEMS microphones, that are built into these devices, however, which would be a lot more complicated. Takeshi Sugawara, a visiting scholar at the University of Michigan and the paper’s lead author, said one way to do this would be to create an obstacle that would block a straight line of sight to the microphone’s diaphragm.

Gekin said he contacted Google, Apple, Amazon and other companies to address the security issue.

A Google spokesperson said the company is closely reviewing the research. Apple declined to comment. Amazon did not respond to a request for comment at the time of publication.

The-CNN-Wire
™ & © 2019 Cable News Network, Inc., a WarnerMedia Company. All rights reserved.

Today’s Top Stories

Technology

FILE - This Friday, Feb. 16, 2018, file photo shows application icons from left, Facebook, Facebook...
Curt Gresseth

Expert gives tips on conquering your downward social media scroll

Are you addicted to the social-media scroll? An expert weighs in on what you can do to slow the scroll.
8 days ago
FILE - A Tesla owner charges his vehicle at a charging station in Topeka, Kan., Monday, April 5, 20...
TOM KRISHER AP Auto Writer

US report: nearly 400 crashes of automated tech vehicles

However, the National Highway Traffic Safety Administration cautioned against using the numbers to compare automakers,
22 days ago
Iran digital intrusion...
Curt Gresseth

Don’t get hacked. Protect your online data by being cyber-ready.

A cyber-security says defend yourself against hackers by being cyber-ready.
2 months ago
The gold star on your license will be needed if you want to fly in the next year....
Dan Bammes

Your driver’s license needs this if you want to fly in the next year

The gold star on your driver's license will be needed for anyone 18 and older. Most people have been getting them as they've renewed their licenses over the past four or so years.
2 months ago
FILE - The Twitter splash page is seen on a digital device, Monday, April 25, 2022, in San Diego. E...
KELVIN CHAN AP Business Writer

Musk’s Twitter ambitions to collide with Europe’s tech rules

Europe's Digital Services Act requires big tech companies to police their platforms more strictly or face billions in fines.
2 months ago
secondary water davis weber...
Chandler Holt

WSU achieves water conservation goals four years early

Over 5 years ago, Weber State University set a water conservation goal to reduce campus water usage by 30% by 2025, a goal they achieved in 2021.
3 months ago

Sponsored Articles

Tax Harassment...
Jordan Wilcox

The best strategies for dealing with IRS tax harassment | You have options!

Learn how to deal with IRS tax harassment. This guide will teach you how to stop IRS phone calls and letters, and how to handle an IRS audit.
spend a day at Bear Lake...
Bear Lake Convention and Visitors Bureau

You’ll love spending the day at Bear Lake | How to spend a day at Bear Lake

Bear Lake is a place that needs to be experienced. Spend a day at Bear Lake.
Curb Appeal...
Price's Guaranteed Doors

How to have the best of both worlds for your house | Home security and curb appeal

Protect your home and improve its curb appeal with the latest security solutions like beautiful garage doors and increased security systems.
Prescription opioids can be disposed of during National Prescription Take Back Day...
Know Your Script

Prescription opioid misuse | How to protect your family from the opioid epidemic

Studies have shown that prescription opioid misuse has increased since COVID-19. So what do you need to know about these opioids?
national heart month...
Intermountain Healthcare

National Heart Month: 5 Lifestyle Changes to Make Today to Keep You Heart Healthy

Heart disease is the leading cause of death for both men and women. One person dies every 36 seconds in the United States from cardiovascular disease
Joseph Smith Memorial Building...
Temple Square

The Joseph Smith Memorial Building is an icon of Salt Lake City | Why hosting an event at this beautiful location will make you a hero this year

Here's why hosting an event at the iconic Joseph Smith Memorial Building in downtown Salt Lake City will make you a hero this year.
Researchers used a laser to hack Alexa and other voice assistants