Some attacks are hard to spot even by human subjects. A series of distorted voice commands surreptitiously hidden in YouTube videos can force unprotected Android or iOS smartphones to carry out malicious operations, researchers have discovered.
Controlling smartphones with voice commands was already done last year when two security researchers from French agency ANSSI have used radio waves to send hidden commands to smartphones running Siri or Google Now. The attack was possible only if the phone had its headphones plugged in.
YouTube attack is simpler to carry out
A team of seven researchers from the University of California, Berkeley, and Georgetown University has devised a variation of this attack that uses mangled voice commands hidden in YouTube videos.
The attack works when the user is viewing a tainted YouTube video that contains hidden commands. He can view the video from his nearby PC, laptop, smart TV, tablet, or another smartphone.
Once the target mobile picks up the mangled voices, the sound filtering features included with Siri or Google Now will clean out the sounds and execute the commands.
Researchers have recorded a video of their attack, embedded below, which shows that some of the mangled voice commands are easy to pick up by a human paying enough attention, but some of the commands are not (the white-box model).
Attacks can range from pranks to malware distribution
The attack can be stopped, but it can also execute before the phone owner understands what is really happening.
The type of hidden commands embedded in such videos range from simple Google searches to instructions to download and install malware, eventually allowing the attacker to take full control of the device.
Researchers argue that a series of defenses can be put in place, such as notifying the user when voice commands are accepted or by adding a verbal challenge-response system.
Technical details about the attack are available in the researchers Hidden Voice Commands paper found on their project’s official website. More YouTube demos are also included, but make sure to disable your phone’s voice commands input first.