Attack NEW WAY TO HACK SIRI AND GOOGLE ASSISTANT WITH ULTRASONIC WAVES

Think twice before recharging an iPhone ontabletops in public places like airports and coffee shops. Surfing attack HACK – HACK iPhone

Researchers at the Michigan State University College of Engineeringhave discovered a new way for hackers to inexpensively target personal devices and put Apple’s Siri and Google Assistant to work against smartphone owners.

Qiben Yan, assistant professor in the Department of Computer Science and Engineering and lead author of the research,

said the research team discovered a new attack factor —

inaudible vibrations

that can be sent

through wood, metal and glass tabletops

to command voice assistant devices up to 30 feet away.

inaudible vibrations that

can be sent through wood,

metal and glass tabletops to command voice

assistant devices up to 30 feet away.

The research, SurfingAttack,

was presented Feb.

24 at the Network and Distributed System Security Symposium in San Diego. 

Yan advises smartphone owners to be wary of public charging stations. “Hackers could use malicious ultrasonic waves to secretly control the voice assistants in your smart devices,” he said.

“It can be activated

using phrases like,

‘OK Google’ or ‘Hey Siri,’ as wake-up words.

Then, attack commands

can be generated

to control your voice assistants, like

‘read my messages,’

or make a fraud call using text-to-speech technology.

“In other words,” Yan said, “they can call your friends, family and colleagues and do all sorts of things – from cancelling plans to asking for money.

If you are tech-savvy and own voice controllable smart home gadgets,

hackers may even use your smartphones to control your smart gadgets,

for example, setting home temperature or opening the garage door.”

Yan said hackers attach a low-cost piezoelectric transducer under a table or charging station, making it possible for an attacker to inconspicuously hijack two-factor authentication codes and even place fraudulent calls

Hanqing Guo, an MSU graduate student in the Department of Computer Science and Engineering and co-author of the study,

said “It’s pretty scary to see my phone

being activated and controlled in public spaces

without my knowledge.

Our research exposes the insecurity of smartphone voice assistants, which everyone needs to be aware of.”

SurfingAttack worked on 15 out of 17 phone models tested, including four iPhones; the 5, 5s, 6 and X; the first three Google Pixels; three Xiaomis; Mi 5, Mi 8 and Mi 8 Lite; the Samsung Galaxy S7 and S9 and the Huawei Honor View 8.

“Our research exposes the insecurity of smartphone voice assistants,”said Guo.

Yan, who directs MSU’s Secure Intelligent Things Lab, worked in collaboration with researchers from MSU, Washington University in St. Louis, Chinese Academy of Sciences and the University of Nebraska-Lincoln.

“Our best advice is if you are going to place your

unattended phone on a table to recharge,

make sure it’s not flat,”

he said.

“SurfingAttack can be

made less effective by

simply lifting your phone up or using a soft woven tablecloth.

Lean your phone on something to disrupt the ultrasonic guided waves. The fix is simple and adds a layer of security.”

View demonstration videos at Surfing Attack website.

SurfingAttack: Interactive Hidden Attack on Voice Assistants Using Ultrasonic Guided Wave

SurfingAttack exploits ultrasonic guided wave propagating through solid-material tables to attack voice control systems. By leveraging the unique properties of acoustic transmission in solid materials, we design a new attack called SurfingAttack that would enable multiple rounds of interactions between the voice-controlled device and the attacker over a longer distance and without the need to be in line-of-sight. By completing the interaction loop of inaudible sound attack, SurfingAttack enables new attack scenarios, such as hijacking a mobile Short Message Service (SMS) passcode, making ghost fraud calls without owners’ knowledge, etc.

Read the Paper, Cite

Team – HACK

SurfingAttack was

discovered by the

following team of academic researchers:

• Qiben Yan at SEIT Lab, Michigan State University
• Kehai Liu at Chinese Academy of Sciences
• Qin Zhou at University of Nebraska-Lincoin
• Hanqing Guo at SEIT Lab, Michigan State University
• Ning Zhang at Washington University in St. Louis
• Surfing attack
• HACK iPhone
• iPhone

Features

• How does SurfingAttack work?SurfingAttack modulates the voice command onto inaudible frequency band, and transmits attack signals using an off-the-shelf PZT transducer (cost $5 per piece) through different types of tables made of solid materials.
• What devices can
• be compromised by
• the commands injected via SurfingAttack?
• We validated successful SurfingAttack on the following devices, and we believe more devices could be vulnerable.
• The phones protected by silicone rubber phone cases are also vulnerable.ManufacturerModelOs/VersionBest fc(kHz)
• GooglePixelAndroid 1028.2GooglePixel 2Android 1027.0GooglePixel 3Android 1027.0MotoG5Android 7.027.0MotoZ4Android 9.028.2SamsungGalaxy S7Android 7.025.8SamsungGalaxy S9Android 9.026.5XiaomiMi 5Android 8.028.3XiaomiMi 8Android 9.025.6XiaomiMi 8 LiteAndroid 9.025.5HuaweiHonor View 10Android 9.027.7AppleiPhone 5iOS 10.0.0326.2AppleiPhone 5siOS 12.1.226.2AppleiPhone 6+iOS 1126.0AppleiPhone XiOS 12.4.126.0
  What can the attackers do?

⚑ Make fraud call using your phone.

⚑ Retrieve your SMS verification code.

⚑ Interact with your devices using the voice assistants.

⚑ And much more…

★ Keep an eye on your devices placed on tabletops.

★ Reduce the touching surface area of your phones with the table.

★ Place the device on a soft woven fabric before touching the tabletops.

★ Use thicker phone cases made of uncommon materials such as wood.

★ Turn off lock screen personal results (or unlock with voice match) on Android.

★ Disable your Voice Assistant on lock screen,

and lock your device when you put it down.

SurfingAttack demonstration

Web surfing vulnerable to new ‘browsiing sniffing’ attacks

Scientists have discovered four new techniques to expose internet users’ browsing histories,

which could be

used by hackers to learn

which websites they have visited.

The techniques fall into the category of “history sniffing” attacks, a concept dating back to the early 2000s.

However, the attacks demonstrated by the researchers

from the University of California – San Diego in the US

can profile or ‘fingerprint’ a user’s online activity in

a matter of seconds, and work across recent versions

of major web browsers.

All of the attacks the researchers developed worked on Google Chrome.

Two of the attacks also worked on a range of other browsers, from Mozilla Firefox to Microsoft Edge, as well various security-focused research browsers.

The only browser which proved immune to all of the attacks is the Tor Browser, which doesn’t keep a record of browsing history in the first place, researchers said. “My hope is that the severity of some of our published attacks will push browser vendors to revisit how they handle history data, and I’m happy to see folks from Mozilla, Google, and the broader World Wide Web Consortium (W3C) community already engage in this,” said Deian Stefan, an assistant professor at UC San Diego.

Most internet users are by now familiar with “phishing;” cyber-criminals build fake websites which mimic, say, banks, to trick them into entering their login details, researchers said.

The more the phisher can learn about their potential victim, the more likely the con is to succeed, they said.

After conducting an effective history sniffing attack, a criminal could carry out a smart phishing scheme, which automatically matches each victim to a faked page corresponding to their actual bank.

The phisher preloads the attack code with their list of target banking websites, and conceals it in, for example, an ordinary-looking advertisement.

When a victim navigates to a page containing the attack, the code runs through this list,

testing or ‘sniffing’ the victim’s

browser for signs that it’s

been used to visit each target site.

When one of these sites tests positive, the phisher could then redirect their victim to the corresponding faked version.

The faster the attack, the longer the list of target sites an attacker can ‘sniff’ in a reasonable amount of time. The fastest history sniffing attacks have reached rates of thousands of URLs tested per second, allowing attackers to quickly put together detailed profiles of web surfers’ online activity.

Criminals could put this sensitive data to work in a number of ways besides phishing: for example, by blackmailing users with embarrassing or compromising details of their browsing histories.

History sniffing can

also be deployed by

legitimate, yet unscrupulous, companies

, for purposes like marketing and advertising, researchers said.

The attacks the researchers developed,

in the form of JavaScript code, cause web browsers to

behave differently based on whether a

website had been visited or not.

READ MORE

• SIM Tracker:SPY24 Track SIM Card Location Online
• spy24
• Surfing attack
• HACK iPhone
• iPhone

The code can observe these differences

for example, the time an operation takes to execute or

the way a certain graphic

element is handled

— to collect the computer’s browsing history.

To design the attacks, researchers exploited features that

allow programmers to customise the appearance of their web page

—controlling fonts, colours, backgrounds, and so forth

—using Cascading Style Sheets (CSS),

as well as a cache meant to improve to performance of web code.

The researchers propose a bold fix to these issues:

they believe browsers should set explicit boundaries

controlling how users’

browsing histories are used

to display web pages from different sites. 

• Surfing attack
• HACK iPhone
• HACK GOOGLE
• HACK iPhone
• iPhone

Surfing attack – HACK iPhone – HACK GOOGLE