Researchers Reveal Hidden Audio Techniques Designed To Activate Voice Assistants

Researchers Reveal Hidden Audio Techniques Designed To Activate Voice Assistants

Carlini and Wagner's research builds on past work that has shown that deep learning for computer image recognition is vulnerable to adversarial perturbation.

A new report examines techniques researchers have used to trigger actions from Apple's Siri, Amazon's Alexa, and Google Assistant - techniques that involve sending secret audio instructions which are "undetectable to the human ear". The researchers were able to secretly activate the three AI assistants, making them dial phone numbers or open websites.

Taking the research to the next level, some of the same Berkeley researchers published a paper this month, in which they demonstrated that they could insert silent commands into spoken text and music files.

This is something that has only been done in lab conditions but speaking about the findings, which follow on from a study conducted in 2016 by the team, Nicholas Carlini, one of the paper's authors said: "My assumption is that the malicious people already employ people to do what I do". Speech-recognition systems typically translate each sound to a letter, eventually compiling those into words and phrases. But the virtual assistants should be able to perform such tasks - and just today, a new blog post from smart lock company August claims that "August Makes Unlocking with Alexa Even Easier". By inserting a smart speaker command into white noise, the researchers essentially camouflaged the commands from human listeners. Individual user voice recognition is one such protocol that could prevent such silent commands from being successful: if your smart speaker is calibrated to only respond to your voice, a silent command should, in theory, not have an effect on it.

Apple said that Siri has protections in place that limit the opportunities to execute this type of attack.

Similar techniques have been demonstrated using ultrasonic frequencies. In addition, researchers at Princeton and China's Zhejiang University have demonstrated what they are calling the "DolphinAttack". The attack first muted the phone so the owner wouldn't hear the system's responses, either. In fact recently researchers have found that malicious commands for digital assistants can actually be hidden inside of songs.

This year, another group of Chinese and USA researchers from China's Academy of Sciences and other institutions demonstrated they could control voice-activated devices with commands embedded in songs that can be broadcast over the radio or played on services like YouTube.

The Berkeley group also embedded the command in music files, including a four-second clip from Verdi's "Requiem".

Related Articles