I wonder if this...
Also works with something like xbox? The fun to be had pranking someone midgame into having it close itself down..
Voice commands encoded in ultrasonic waves can, best case scenario, silently activate a phone's digital assistant, and order it to do stuff like read out text messages and make phone calls, we're told. The technique, known as SurfingAttack, was presented at the Network and Distributed Systems Security Symposium in California …
I'm assuming after ringing the doorbell that you ran away.
Otherwise you get the benefits of the flaming bag of poop and a possibly irate occupant.
Several decades ago, without the faecal flambeau, we called that game ' Knock down ginger', have no idea how that name came about.
As for remote activation of my phone, I wouldn't touch a voice activated assistant with your's let alone mine, plus the mike app is disabled on my phone.
On my Android phone the Google App is denied permission to access the microphone. Saying 'OK Google' does absolutely nothing. So clone my voice away, it will do you no good.
The idea of a piece of technology constantly listening to me creeps me out. My wife after she left me got an Alexa. I haven't been to her place in over a year.
I don't have a TV for economic and political reasons (not this side of Scottish Independence anyway) so don't have that to worry about since it seems harder to buy one without all this 'smart' tech in it these days.
I find I don't mss the TV any more, increasingly I would turn it off and do something else. Despite the full cable TV mix there was often nothing on worth watching of an evening. I tried Netflix on this laptop for the initial trial month and cut it short after getting bored. Stopped watching one SciFi thing after being asked to suspend disbelief one too many times. It was human pheromones which broke this came''s back. They have been thoroughly debunked. We are not moths. Visual stimuli have replaced our stunted sense of smell as all the Pron attests.
Be advised that this prank can be a Bad Idea if played on the wrong humorless git. Variants on this idea have got pranksters killed; one was shot dead when the prankee answered the door with a shotgun, and in another case the prankster and two of his friends were killed when the car they were attempting to escape in was run off the road by the very angry prankee. The guy with the shotgun got no punishment, thanks to the Castle Defense. The angry car driver is doing time for Murder One. Perhaps care should be taken during target selection.
Apparently this was at least the third flaming poo attack on the same house, and the target was ‘in fear for his life or property’, the flaming poo being, well, burning, and therefore was an arson attack. It worked... the car guy was also targeted multiple times, but didn’t have as good lawyers.
"Is poo particularly flammable? "
Not that I have ever tried to light any but I can't imagine human poo is much of a fuel, I do know that the American Plains Indians used buffalo 'chips' for their cooking fires and many nomadic arabs used camel dung for similar purposes.
In "flaming bag of poo" it is the bag that is flaming, not the poo. The poo is concealed within the bag. The idea is that the victim doesn't know it is there, stamps on the bag to put the fire out, and thus gets poo on their shoe and possibly splatters themselves.
Now a bit better due to multiple security levels so may not be as much an issue, but... you could possibly use this to hack peoples account with their phone. Swipe phone, get "2 factor password reset" code from the text being read by the assistant, take account credentials for a nice ride...
They may not have you on the system now, but in the future they might and during your court case for that white collar crime you might commit (petty cash theft, fare dodging, unpaid parking fine), they may bring up the previously unsolved shit incident.
Given how things tend to get blown out of proportion through the lens of the media and the courts.
That theft of £10 from petty cash and the shit incident 20 years ago will be conflated into "a life of crime" and you'll be prosecuted like a hardened criminal at which point you'll be sentenced like a rapist / murderer.
Before you know it, there will be a special crime unit set up for investigating these crimes...the Faeces Found Smoulder division (FFS) working in tandem with the Faecal Matter Forensics Laboratory (FMFL).
Meanwhile in response to this "problem" a team of people from Oxbridge will set up a special research team and funnel through hundreds of people who will go on to get a PhD in shit based crimes and pranks.
Dr Sanjit H. Itinabhag PhD (failed) of the University of Delhi will make regular appearances with Phil and Holly in the TV to discuss the epidemic.
The Sun will then start running national headlines to make people afraid of the problem.
Politicians will then debate it and pass law relating to the act in question.
Albert's Law will be passed in his memory because there's nothing funny about watching your arsehole neighbour, who punctured your football on his lawn when you were 8, stomping out flaming turds and slipping on them.
Don't shit in a bag and leave it someone's doorstep kids, you'll get 25 years later in life...if you're lucky...and waste millions in taxpayer money...the rest of us will have to watch it all pan out for decades on the TV and in the news...we'll end up with Maps on our doorstep pledging to "do something about it".
Just don't do it. FFS.
And kids today aren't smart enough to wear masks that cover their face & hairBut if they cover their face, how are they going to unlock their phone to record the prank so they can post it on Facbeook, Youtube and all the other social media outlets they use? And they need to have their face seen in the video of the prank to prove that they did it.
We had a neighbour who had mental health problems from an early age, not aided by the extreme painkillers she needed for spine problems later in life, and having a house-bound dependent to look after in her one-bedroom flat. The local kids thought it was hilarious to knock on her door and run away.
The police came asking after her one day as she had disappeared. I have heard nothing of her since.
The kids I caught had that rabbit-in-the-headlights look. Yeah, knock-down ginger is a real laugh.
"The best way to defend yourself from these attacks is to turn off voice commands, or only allow assistants to work when a handheld is unlocked."
Another good way that still allows use of voice commands is to disable the vocal trigger to start the assistant. The user can still use commands, but only by pressing a button on the phone to do so. If they have a complex unlocking system and allow a few commands to run without unlocking, this allows them to do that as well. It does prevent using the device when the device isn't near you, but when comparing it to disabling the feature entirely, it will have less effect on a user who uses the commands.
As attacks go, it's interesting but not the most frightening. It requires a lot of attacker investment and physical proximity. If they do it and I am there, I will likely hear my phone as it reads my new messages aloud and so I'll interrupt it and possibly look for a cause. If they're banking on my not being there so I don't notice the information being read out, they could have someone run in and grab my phone, which would be faster and require less investment on their part.
Interesting idea. However, they probably wouldn’t get much of interest from my phone. For one thing, I’ve disabled vocal activation. For another, I don’t allow Siri to unlock my phone. I also rarely leave my phone anywhere, unless I am asleep. Even then it’s on the bedside cabinet, so I might hear it.
Even assuming they got into my phone, all they would likely discover is that we need some milk and bread when I pass the supermarket. Ok, they might get into my work email, but due to an over zealous 2fa system, seemingly three out of four times the client is activated, I need to enter a code from a text. And the Authenticator doesn’t work with Siri.
Um. That's already an actual feature. Why do you think totally unrelated/required apps ask for "microphone access" even though they are not recording/phonecall apps? It's so the makers also know if your watching their adds/sponsor spots (and yes, patents/marketing options exist for the ultrasound/sterionagraph sounds).
Thus the "cola collect 3 game" (made up example) that does not need a mic to play, asks for mic access, and knows when you watch/how many adds you watch on tv.
You beat me to it!
For some reason it reminded me of the Sarah Silverman fuc#ing Matt Damon song aimed at Jimmy Kimmel. If you haven't seen it it's well worth a look lol
tricking assistants isnt particularly new... wasnt there a TV ad a few years back that kept waking up XBoxes, or something...
with the effort needed to successfully pull off this attack, Proximity, knowing which assistant is enabled(or not) voice matching (even with AI assistance) the end result - unless spooking someone for the lol's, is a pretty meh amount of access to a device - a possible phonecall to a premium rate number? but that would probably be worth less than the time invested... maybe you could get it to open a door - but then you would need to know your target had an enabled lock and then, a brick and window would be easier...
I know - proof of concept and all that, but I use google quite a bit and the information I can get out of it - knowing how and where said data is - is pretty inconsequential!
I presume this works due to a lack of a low pass filter between the microphone and the ADC and the fact ANY unfiltered ADC will alias signals above the sample rate, acting like a mixer. So it also relies on knowing the default sample rate for the model.
A remotely connected piece of custom HW can be fitted in a light socket, plug socket, behind a clock, smoke alarm, built into table etc. Connected to UWB spread spectrum, GSM, 3G, 4G, fibre or WiFi.
Ever tried to convince someone that you don't want to have a private conversation until they turn off their device? Usually people just get offended and tell you off.
Enter this hack.
Just activate their device and voila; they're instant converts to the security implications of 'smart' devices.
They may still counter that "they've got nothing to hide" and all that, but at least they will have to admit you had a point.
Why are the microphones in these devices even capable of picking up ultrasonic frequencies?
Even if that's just how a good quality microphone works these days, one would think that in a device intended for human vocal communication that any sounds above 20kHz would be considered useless noise and be removed via a low-pass filter.
"... any sounds above 20kHz would be considered useless noise and be removed via a low-pass filter."
But a low-pass filter costs 5c/2p which adds up when you are producing millions of phones and the 'Poor' companies cannot afford to spend this extra cash !!!
:) [Tongue firmly in cheek]
Maybe it's "working as intended"?
There have been cases of apps being able to listen for specific signals from broadcast TV, mostly used for marketing/advertising/profiling purposes. So perhaps this is an intended capability of the device for use in those types of situations?
Oh this could be fun.
"Text Wife I'm bringing home Sally, we can have that threesome tonight."
Innocently ask the next day how their evening went.
Alternately it is plausible deniability.
"Why boss that text I sent saying you are full of it. Why some evil person must have hacked my cell phone with that ultrasound thing."