Think twice before recharging an iPhone ontabletops in public places like airports and coffee shops. Surfing attack HACK – HACK iPhone
Researchers at the Michigan State University College of Engineeringhave discovered a new way for hackers to inexpensively target personal devices and put Apple’s Siri and Google Assistant to work against smartphone owners.
Qiben Yan, assistant professor in the Department of Computer Science and Engineering and lead author of the research,
said the research team discovered a new attack factor —
that can be sent
through wood, metal and glass tabletops
to command voice assistant devices up to 30 feet away.
inaudible vibrations that
can be sent through wood,
metal and glass tabletops to command voice
assistant devices up to 30 feet away.
The research, SurfingAttack,
was presented Feb.
24 at the Network and Distributed System Security Symposium in San Diego.
Yan advises smartphone owners to be wary of public charging stations. “Hackers could use malicious ultrasonic waves to secretly control the voice assistants in your smart devices,” he said.
“It can be activated
using phrases like,
‘OK Google’ or ‘Hey Siri,’ as wake-up words.
Then, attack commands
can be generated
to control your voice assistants, like
‘read my messages,’
or make a fraud call using text-to-speech technology.
“In other words,” Yan said, “they can call your friends, family and colleagues and do all sorts of things – from cancelling plans to asking for money.
If you are tech-savvy and own voice controllable smart home gadgets,
hackers may even use your smartphones to control your smart gadgets,
for example, setting home temperature or opening the garage door.”
Yan said hackers attach a low-cost piezoelectric transducer under a table or charging station, making it possible for an attacker to inconspicuously hijack two-factor authentication codes and even place fraudulent calls
Hanqing Guo, an MSU graduate student in the Department of Computer Science and Engineering and co-author of the study,
said “It’s pretty scary to see my phone
being activated and controlled in public spaces
without my knowledge.
Our research exposes the insecurity of smartphone voice assistants, which everyone needs to be aware of.”
SurfingAttack worked on 15 out of 17 phone models tested, including four iPhones; the 5, 5s, 6 and X; the first three Google Pixels; three Xiaomis; Mi 5, Mi 8 and Mi 8 Lite; the Samsung Galaxy S7 and S9 and the Huawei Honor View 8.
“Our research exposes the insecurity of smartphone voice assistants,”said Guo.
Yan, who directs MSU’s Secure Intelligent Things Lab, worked in collaboration with researchers from MSU, Washington University in St. Louis, Chinese Academy of Sciences and the University of Nebraska-Lincoln.
“Our best advice is if you are going to place your
unattended phone on a table to recharge,
make sure it’s not flat,”
“SurfingAttack can be
made less effective by
simply lifting your phone up or using a soft woven tablecloth.
Lean your phone on something to disrupt the ultrasonic guided waves. The fix is simple and adds a layer of security.”
View demonstration videos at Surfing Attack website.
SurfingAttack: Interactive Hidden Attack on Voice Assistants Using Ultrasonic Guided Wave
SurfingAttack exploits ultrasonic guided wave propagating through solid-material tables to attack voice control systems. By leveraging the unique properties of acoustic transmission in solid materials, we design a new attack called SurfingAttack that would enable multiple rounds of interactions between the voice-controlled device and the attacker over a longer distance and without the need to be in line-of-sight. By completing the interaction loop of inaudible sound attack, SurfingAttack enables new attack scenarios, such as hijacking a mobile Short Message Service (SMS) passcode, making ghost fraud calls without owners’ knowledge, etc.
Read the Paper, Cite
Team – HACK
discovered by the
following team of academic researchers:
- Qiben Yan at SEIT Lab, Michigan State University
- Kehai Liu at Chinese Academy of Sciences
- Qin Zhou at University of Nebraska-Lincoin
- Hanqing Guo at SEIT Lab, Michigan State University
- Ning Zhang at Washington University in St. Louis
- Surfing attack
- HACK iPhone
- How does SurfingAttack work?SurfingAttack modulates the voice command onto inaudible frequency band, and transmits attack signals using an off-the-shelf PZT transducer (cost $5 per piece) through different types of tables made of solid materials.
- What devices can
- be compromised by
- the commands injected via SurfingAttack?
- We validated successful SurfingAttack on the following devices, and we believe more devices could be vulnerable.
- The phones protected by silicone rubber phone cases are also vulnerable.ManufacturerModelOs/VersionBest fc(kHz)
- GooglePixelAndroid 1028.2GooglePixel 2Android 1027.0GooglePixel 3Android 1027.0MotoG5Android 7.027.0MotoZ4Android 9.028.2SamsungGalaxy S7Android 7.025.8SamsungGalaxy S9Android 9.026.5XiaomiMi 5Android 8.028.3XiaomiMi 8Android 9.025.6XiaomiMi 8 LiteAndroid 9.025.5HuaweiHonor View 10Android 9.027.7AppleiPhone 5iOS 10.0.0326.2AppleiPhone 5siOS 184.108.40.206AppleiPhone 6+iOS 1126.0AppleiPhone XiOS 220.127.116.11
What can the attackers do?
⚑ Make fraud call using your phone.
⚑ Retrieve your SMS verification code.
⚑ Interact with your devices using the voice assistants.
⚑ And much more…
★ Keep an eye on your devices placed on tabletops.
★ Reduce the touching surface area of your phones with the table.
★ Place the device on a soft woven fabric before touching the tabletops.
★ Use thicker phone cases made of uncommon materials such as wood.
★ Turn off lock screen personal results (or unlock with voice match) on Android.
★ Disable your Voice Assistant on lock screen,
and lock your device when you put it down.
Web surfing vulnerable to new ‘browsiing sniffing’ attacks
Scientists have discovered four new techniques to expose internet users’ browsing histories,
which could be
used by hackers to learn
which websites they have visited.
The techniques fall into the category of “history sniffing” attacks, a concept dating back to the early 2000s.
However, the attacks demonstrated by the researchers
from the University of California – San Diego in the US
can profile or ‘fingerprint’ a user’s online activity in
a matter of seconds, and work across recent versions
of major web browsers.
All of the attacks the researchers developed worked on Google Chrome.
Two of the attacks also worked on a range of other browsers, from Mozilla Firefox to Microsoft Edge, as well various security-focused research browsers.
The only browser which proved immune to all of the attacks is the Tor Browser, which doesn’t keep a record of browsing history in the first place, researchers said. “My hope is that the severity of some of our published attacks will push browser vendors to revisit how they handle history data, and I’m happy to see folks from Mozilla, Google, and the broader World Wide Web Consortium (W3C) community already engage in this,” said Deian Stefan, an assistant professor at UC San Diego.
Most internet users are by now familiar with “phishing;” cyber-criminals build fake websites which mimic, say, banks, to trick them into entering their login details, researchers said.
The more the phisher can learn about their potential victim, the more likely the con is to succeed, they said.
After conducting an effective history sniffing attack, a criminal could carry out a smart phishing scheme, which automatically matches each victim to a faked page corresponding to their actual bank.
The phisher preloads the attack code with their list of target banking websites, and conceals it in, for example, an ordinary-looking advertisement.
When a victim navigates to a page containing the attack, the code runs through this list,
testing or ‘sniffing’ the victim’s
browser for signs that it’s
been used to visit each target site.
When one of these sites tests positive, the phisher could then redirect their victim to the corresponding faked version.
The faster the attack, the longer the list of target sites an attacker can ‘sniff’ in a reasonable amount of time. The fastest history sniffing attacks have reached rates of thousands of URLs tested per second, allowing attackers to quickly put together detailed profiles of web surfers’ online activity.
Criminals could put this sensitive data to work in a number of ways besides phishing: for example, by blackmailing users with embarrassing or compromising details of their browsing histories.
History sniffing can
also be deployed by
legitimate, yet unscrupulous, companies
, for purposes like marketing and advertising, researchers said.
The attacks the researchers developed,
behave differently based on whether a
website had been visited or not.
The code can observe these differences
for example, the time an operation takes to execute or
the way a certain graphic
element is handled
— to collect the computer’s browsing history.
To design the attacks, researchers exploited features that
allow programmers to customise the appearance of their web page
—controlling fonts, colours, backgrounds, and so forth
—using Cascading Style Sheets (CSS),
as well as a cache meant to improve to performance of web code.
The researchers propose a bold fix to these issues:
they believe browsers should set explicit boundaries
controlling how users’
browsing histories are used
to display web pages from different sites.
Surfing attack – HACK iPhone – HACK GOOGLE