Researchers find a way to remotely control Siri using radio waves

BY Smidh

Published 14 Oct 2015

Siri - Search

French government agency ANSSI researchers have found that Siri, Apple’s personal voice assistant in iOS, and Google Now on Android can be controlled through radio waves from as far away as 16 feet.

The hack does require that headphones with a microphone built-in is plugged into the said iPhone or Android device. The researchers were able to use the cord of the headphones as an antenna to transmit electromagnetic waves that were then converted into electrical signals by the headphone’s cord. These electrical signals are then recognised by iOS (or Android) as inputs from the microphone.

“The possibility of inducing parasitic signals on the audio front-end of voice-command-capable devices could raise critical security impacts,” the two French researchers, José Lopes Esteves and Chaouki Kasmi, write in a paper published by the IEEE.

The hack does not require any high-tech equipment, and in its smallest form, it could easily fit inside a backpack and will have a range of around 6.5 feet. With larger batteries, the system can be used to send signals to devices that are up to 16 feet away.

On iPhone 6s and iPhone 6s Plus, the ability to bring up Siri on the lock screen is enabled by default. It is even possible to bring up Siri when the devices are sleeping. This makes them easily vulnerable to this hack, without the user ever knowing about it. However, researchers note that previous iOS and iPhone versions are also vulnerable to this hack, as the electrical signals can be used to spoof the press of a button press that will then enable Siri.

Google Now on Android uses voice recognition technology when triggered, so most Android devices are relatively safe from this hack.

The researchers have already contacted Apple and Google about this hack with possible solutions and workarounds to this hack. Their recommendations include better shielding for the headphones cord, using the electromagnetic sensor in the phone to block off such attacks, or by allowing users to set up custom launch phrases.

[Via Wired]