Voice Recognition Hacking
Voice-activated technology is so easily hacked that it should be disabled on all devices that support it, according to the chief technology officer of AVG, a leading Internet security firm. Here's what you need to know, and do... |
Are You Vulnerable to Voice Hackers?
In a recent Forbes magazine interview, Yuval Ben-Itzhak, CTO of AVG, made these rather surprising comments about devices with voice recognition capability:
“Microphones should be disabled immediately and our current recommendation is that the user switch off features [involving voice commands]… At the moment, leaving biometric technology as it is today is like leaving a computer without a password and just allowing anyone to walk by, click and take an action.”
The problem is that current voice-recognition tech has no provision for authentication; it does not require proof that the speaker is who he or she sounds like. In fact, the “speaker” doesn’t have to make a sound, or even be human.
Ben-Itzhak and his team proved their point by creating an Android game that secretly recorded a player’s voice and synthesized voice commands that Google Now would accept. The “voice” was able to direct Google Now to send emails to contacts stored on the device. It's a spammer’s dream come true. For instance, “Help, friends! I’m stuck in a small town with a blown engine. Need money to get home. Please Paypal whatever you can spare to me@example.com".
Another experimental app used a smartphone’s built-in accelerometer to guess when the owner wasn’t paying attention. While the phone was in motion, synthesized voice commands caused it to dial a premium rate number. The call was dropped when the phone stopped moving. Such a rogue app could run up huge profits for phone scammers. (The assumption that a moving phone is not glued to its owner’s face is a bit naïve, but this is proof of concept stuff.)
Siri, We Thought We Knew You
Even without rogue apps and synthesized voice commands, Apple’s Siri will betray you to just about anyone. While looking for security flaws in a preview of iOS 8, Jose Rodriguez discovered that the Siri voice-activated PDA will let a user bypass an iPhone’s password-protected lockscreen. After Siri let him in via the side door, Rodriguez was able to view contacts and call history on the iPhone, post to Facebook, and even hijack a WhatsApp account without knowing its password.
Oddly enough, Apple considers this a feature, not a bug. But there is a way to disable it. On your iOS device, go to Settings, then Passcode, then look for the "Allow access when locked section". Set Siri to the off position so it can't interact with users from the lock screen. (Siri will still work the same when the phone is unlocked.)
Voice-activated tech is the next big thing. It’s in phones, tablets, and cars. It’s in the newest TV sets, game consoles, and even beer coolers. And according to AVG, it's leaving users exposed to an ever-growing number of attack vectors.
Ben-Itzhak doesn't know of any actual voice input exploits, but is calling for some sort of authentication for voice-activated tech. He says AVG is not working on any software solution to the authentication problem. It’s up to the industry (specifically, those who create mobile operating systems) to create a standardized authentication protocol that does not diminish the convenience of voice commands.
Should You Take Action?
Ben-Itzhak's advice is a relevant heads-up to Apple, Microsoft and Google. They are the ones who create the software in question. But do users like you and me need to take any defensive action right now? It seems to me that this vulnerability is (for now) limited to rogue apps. So if you're not downloading from third-party app stores you should be safe. I find voice input incredibly useful on my Android phone when composing text messages or using Maps, so I don't plan to change my habits.
If you don't use voice input anyway, it's probably a good idea to disable it. But I have no idea what the AVG CTO means by "microphones should be disabled." That would make it impossible to make a phone call, and after doing some digging, my conclusion is that there is no way to completely disable voice input on Android or iOS devices. But there are some steps you can take to limit it.
On Android devices, open the "Google Settings" app. Tap "Search & Now" then tap "Voice". Tap "Ok Google detection" and turn that setting off. On the iPhone or iPad, you can disable Siri by going to Settings, then General, then Siri, and turn Siri off.
My car has voice input, but every time I try to use it for navigation, it wants to send me to a non-existent town in Oregon. So maybe I'm better off disabling that feature, or learning to speak with a German accent.
Do you use voice input on your mobile device, your TV, or your beer cooler? Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 9 Jul 2015
| For Fun: Buy Bob a Snickers. |
 |
Prev Article: Geekly Update - 08 July 2015 |
The Top Twenty |
Next Article: SECURITY TIP: Lock Down Your WiFi Router |
 |
Post your Comments, Questions or Suggestions
|
Free Tech Support -- Ask Bob Rankin Subscribe to AskBobRankin Updates: Free Newsletter Copyright © 2005 - Bob Rankin - All Rights Reserved About Us Privacy Policy RSS/XML |
Article information: AskBobRankin -- Voice Recognition Hacking (Posted: 9 Jul 2015)
Source: https://askbobrankin.com/voice_recognition_hacking.html
Copyright © 2005 - Bob Rankin - All Rights Reserved
Most recent comments on "Voice Recognition Hacking"
Posted by:
Tim
09 Jul 2015
Hello Bob, I read this article and tried to get into my iPhone via Siri and was unable to. Siri is turned on while my phone is locked, I can send a text and phone call via Siri but am unable to access my contacts. The phone keeps asking for my password. I am running IOS 8.4 on a 4S. Is it possible that Apple closed this back door you're talking about or am I missing something?
Posted by:
Frank
09 Jul 2015
I always use voice to compose text messages. I usually have to correct them manually but it is still easier for me. I have a Galaxy 3.
Posted by:
Ihor Prociuk
10 Jul 2015
Hi Bob:
On my Galaxy S5, there is an option under Google settings called "Trusted Voice". It's grayed-out and there is a subtext that states "This feature is currently unavailable for this language". It would seem that they are, at least, aware of the problem.
Posted by:
p38arover
10 Jul 2015
I recently needed to talk to the Australian Tax Office staff and they now offer voice recognition to allow one to access one's file without having to go through the usual over-the-phone ID checks.
Posted by:
Jim
14 Jul 2015
I tried using the voice control on my beer cooler but it always seemed to stop working after about 6 beers. I haven't been able to troubleshoot it because every time I try, I seem to fall asleep, and when I wake up it's working fine again. Just one of those intermittent problems I guess.