Researchers from the University of Texas in San Antonio (UTSA) and the University of Colorado have developed a new type of attack, dubbed “Near-Ultrasound Inaudible Trojan” (NUIT), that can launch silent attacks on voice-activated devices such as smartphones and smart speakers.
The attack involves using near-ultrasound waves that human ears cannot detect, but that microphones in smart devices can pick up, allowing for the sending of malicious commands to the devices. The attack can be launched through websites that play media or YouTube videos, tricking users into playing malicious media on trustworthy sites.
The team of researchers demonstrated the NUIT attacks against popular voice assistants including Apple’s Siri, Google’s Assistant, Microsoft’s Cortana, and Amazon’s Alexa.
They tested 17 popular devices that run the voice assistants and found that they can all be owned using any voice, even robot-generated, except for Apple Siri, which requires emulating or stealing the target’s voice to accept commands.
The researchers explained that the attacks can be conducted in two different ways: NUIT-1, when a device is both the source and target of the attack, and NUIT-2, when the attack is launched by a device with a speaker to another device with a microphone. The attack scenarios demonstrated by the researchers involve sending commands to IoTs connected to the smartphone, such as unlocking doors or disabling home alarms, with little risk of the victim realizing this activity is taking place.
The full details of the NUIT attack will be presented at the 32nd USENIX Security Symposium, which is scheduled for August 9 and 11, 2023, at the Anaheim Marriott in Anaheim, California.
To protect against NUIT or similar attacks, users are advised to monitor their devices closely for microphone activations and to use earphones instead of speakers to listen to something or broadcast sound.
