Researchers Send Commands to Phone Assistants Using Ultrasonic Waves through Tables

Researchers from Washington University in St. Louis found that both Android and iPhone devices are susceptible to SurfingAttack, a new technique that lets bad actors send commands using ultrasonic waves through various surfaces.

Cyberaware people who worry about hackers or other security issues generally expect those disruptions to come through an online connection. But it turns out mobile devices can also be manipulated through physical mediums, and not just through the Internet.

SurfingAttack is a technique that uses ultrasonic waves to trigger commands, through personal assistants, without alerting the owner of the device. The sensors in modern smartphones are capable of picking up much more than the normal range of human senses, and attackers can use that to their advantage.

The researchers managed to build a proof-of-concept demo that illustrates how this attack would take place in the real world, and to say their efforts were met with stunning success would be an understatement.

“We want to raise awareness of such a threat,” said Ning Zhang, assistant professor of computer science and engineering at the McKelvey School of Engineering and one of the co-authors of the research. “If you know how to play with the signals, you can manipulate them such that when the phone interprets the incoming sound waves, it will think that you are saying a command.”

With a setup that involved a carefully placed microphone and a piezoelectric transducer, along with a waveform generator, it was possible to trigger a phone to read aloud an SMS message, which happened to contain a two-factor authentication code, and to initiate a call, transforming smartphones into listening devices.

There’s a caveat, though. The attackers need to imitate the voice of the device’s owner in cases where the phone assistant is trained to recognize the owner’s voice. Many smartphone users don’t go through the process of training the phone to only respond to their voice.

The SurfingAttack technique worked very well thorough wood and metal, from distances of up to 30 feet. Plastic tables were not as good at conducting sound waves, but the attack still worked to some degree.