Voice Recognition Hacking
Voice-activated technology is so easily hacked that it should be disabled on all devices that support it, according to the chief technology officer of AVG, a leading Internet security firm. Here's what you need to know, and do...
Are You Vulnerable to Voice Hackers?
In a recent Forbes magazine interview, Yuval Ben-Itzhak, CTO of AVG, made these rather surprising comments about devices with voice recognition capability:
“Microphones should be disabled immediately and our current recommendation is that the user switch off features [involving voice commands]… At the moment, leaving biometric technology as it is today is like leaving a computer without a password and just allowing anyone to walk by, click and take an action.”
The problem is that current voice-recognition tech has no provision for authentication; it does not require proof that the speaker is who he or she sounds like. In fact, the “speaker” doesn’t have to make a sound, or even be human.
Ben-Itzhak and his team proved their point by creating an Android game that secretly recorded a player’s voice and synthesized voice commands that Google Now would accept. The “voice” was able to direct Google Now to send emails to contacts stored on the device. It's a spammer’s dream come true. For instance, “Help, friends! I’m stuck in a small town with a blown engine. Need money to get home. Please Paypal whatever you can spare to [email protected]".
Another experimental app used a smartphone’s built-in accelerometer to guess when the owner wasn’t paying attention. While the phone was in motion, synthesized voice commands caused it to dial a premium rate number. The call was dropped when the phone stopped moving. Such a rogue app could run up huge profits for phone scammers. (The assumption that a moving phone is not glued to its owner’s face is a bit naïve, but this is proof of concept stuff.)
Siri, We Thought We Knew You
Even without rogue apps and synthesized voice commands, Apple’s Siri will betray you to just about anyone. While looking for security flaws in a preview of iOS 8, Jose Rodriguez discovered that the Siri voice-activated PDA will let a user bypass an iPhone’s password-protected lockscreen. After Siri let him in via the side door, Rodriguez was able to view contacts and call history on the iPhone, post to Facebook, and even hijack a WhatsApp account without knowing its password.
Oddly enough, Apple considers this a feature, not a bug. But there is a way to disable it. On your iOS device, go to Settings, then Passcode, then look for the "Allow access when locked section". Set Siri to the off position so it can't interact with users from the lock screen. (Siri will still work the same when the phone is unlocked.)
Voice-activated tech is the next big thing. It’s in phones, tablets, and cars. It’s in the newest TV sets, game consoles, and even beer coolers. And according to AVG, it's leaving users exposed to an ever-growing number of attack vectors.
Ben-Itzhak doesn't know of any actual voice input exploits, but is calling for some sort of authentication for voice-activated tech. He says AVG is not working on any software solution to the authentication problem. It’s up to the industry (specifically, those who create mobile operating systems) to create a standardized authentication protocol that does not diminish the convenience of voice commands.
Should You Take Action?
Ben-Itzhak's advice is a relevant heads-up to Apple, Microsoft and Google. They are the ones who create the software in question. But do users like you and me need to take any defensive action right now? It seems to me that this vulnerability is (for now) limited to rogue apps. So if you're not downloading from third-party app stores you should be safe. I find voice input incredibly useful on my Android phone when composing text messages or using Maps, so I don't plan to change my habits.
If you don't use voice input anyway, it's probably a good idea to disable it. But I have no idea what the AVG CTO means by "microphones should be disabled." That would make it impossible to make a phone call, and after doing some digging, my conclusion is that there is no way to completely disable voice input on Android or iOS devices. But there are some steps you can take to limit it.
On Android devices, open the "Google Settings" app. Tap "Search & Now" then tap "Voice". Tap "Ok Google detection" and turn that setting off. On the iPhone or iPad, you can disable Siri by going to Settings, then General, then Siri, and turn Siri off.
My car has voice input, but every time I try to use it for navigation, it wants to send me to a non-existent town in Oregon. So maybe I'm better off disabling that feature, or learning to speak with a German accent.
Do you use voice input on your mobile device, your TV, or your beer cooler? Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 9 Jul 2015
|For Fun: Buy Bob a Snickers.|
Geekly Update - 08 July 2015
The Top Twenty
SECURITY TIP: Lock Down Your WiFi Router
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Voice Recognition Hacking (Posted: 9 Jul 2015)
Copyright © 2005 - Bob Rankin - All Rights Reserved