[OPLIN 4cast] OPLIN 4Cast #595: The sound of another security headache for smart speakers

OPLIN Support support at oplin.ohio.gov
Wed May 23 10:34:23 EDT 2018 

Email not displaying correctly? View it in your browser.
<http://www.oplin.org/4cast/>
[image: OPLIN 4Cast]

OPLIN 4Cast #595: The sound of another security headache for smart speakers
May 23rd, 2018

[image: sound waveform] Audio viruses are not a new thing, although they
certainly haven't gotten the attention that other kinds of hacks and
malware have. As early as 2013
<https://www.extremetech.com/computing/171949-new-type-of-audio-malware-transmits-through-speakers-and-microphones>,
security researchers confirmed that it was possible to transfer malware via
a speaker and have it picked up via a microphone. However, there's now a
new target for these types of attacks: voice-activated assistants, like
Siri and Alexa. Vectors can be YouTube videos, radio shows and even TV
programs.

Some researchers believe it's possible to also hide attacks in music or
spoken text. Right now, there's no protection from what security experts
have dubbed "Dolphin Attack." However, practically speaking, there may not
be much danger in this...at least, not yet.

   -
   - Audio Virus is Coming?
   <https://medium.com/level-up-web/audio-virus-is-coming-technical-writing-blog-d490aebf4e8b>
   [Medium] " This situation carries a potential threat because someone can
   make your phone call somebody, open websites or even buy something and
   unlock the door of the smart home through the speech recognition systems."
   - Inaudible ultrasound commands can be used to secretly control Siri,
   Alexa, and Google Now
   <https://www.theverge.com/2017/9/7/16265906/ultrasound-hack-siri-alexa-google>
   [The Verge] "As with the rest of the research, this method is satisfyingly
   clever, but a little too impractical to be a widespread danger. For a
   start, for a device to pick up an ultrasonic voice command, the attacker
   needs to be nearby — as in, no more than a few feet away. The attacks also
   needs to take place in a fairly quiet environment."
   - Hackers send silent commands to speech recognition systems with
   ultrasound
   <https://techcrunch.com/2017/09/06/hackers-send-silent-commands-to-speech-recognition-systems-with-ultrasound/>
   [TechCrunch] "Security researchers in China have invented a clever way of
   activating voice recognition systems without speaking a word. By using high
   frequencies inaudible to humans but which register on electronic
   microphones, they were able to issue commands to every major “intelligent
   assistant” that were silent to every listener but the target device."
   - ‘Dolphin Attack’ hides secret commands for Alexa and Siri inside music
   <http://www.tampabay.com/news/nation/-Dolphin-Attack-hides-secret-commands-for-Alexa-and-Siri-inside-music_168132421>
   [Tampa Bay Times] "With audio attacks, the researchers are exploiting the
   gap between human and machine speech recognition. Speech-recognition
   systems typically translate each sound to a letter, eventually compiling
   those into words and phrases. By making slight changes to audio files,
   researchers were able to cancel out the sound that the speech-recognition
   system was supposed to hear and replace it with a sound that would be
   transcribed differently by machines while being nearly undetectable to the
   human ear."

*From the Ohio Web Library <http://ohioweblibrary.org>:*

   - This Hack Can Take Over Amazon Echo or Google Home Devices
   <http://proxy.ohiolink.edu:9099/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=buh&AN=125164551&site=ehost-live>
   (Darrow, B. (2017). This Hack Can Take Over Amazon Echo or Google Home
   Devices. *Fortune.Com*, 1.)
   - Dolphin attack enables access to your smartphone via inaudible
   ultrasonic commands
   <http://proxy.ohiolink.edu:9099/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=nfh&AN=2W62858425950&site=ehost-live>
   (Bhushan, K. (2017, September 8). Dolphin attack enables access to your
   smartphone via inaudible ultrasonic commands. *Hindustan Times*.)
   - How to...Hack-Proof Your Home
   <http://proxy.ohiolink.edu:9099/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=nfh&AN=7EH130171513&site=ehost-live>
   (HOW TO... HACK-PROOF YOUR HOME. (2017). *Sunday Times, The*, 27.)

------------------------------
The *OPLIN 4cast* is a weekly compilation of recent headlines, topics, and
trends that could impact public libraries. You can subscribe to it in a
variety of ways, such as:

   - *RSS feed.* You can receive the OPLIN 4cast via RSS feed by
   subscribing to the following URL: http://www.oplin.org/4cast/
   index.php/?feed=rss2.
   - *Live Bookmark.* If you're using the Firefox web browser, you can go
   to the 4cast website (http://www.oplin.org/4cast/) and click on the
   orange "radio wave" icon on the right side of the address bar. In Internet
   Explorer 7, click on the same icon to view or subscribe to the 4cast RSS
   feed.
   - *E-mail.* You can have the OPLIN 4cast delivered via e-mail (a'la
   OPLINlist and OPLINtech) by subscribing to the 4cast mailing list at
   http://lists.oplin.org/mailman/listinfo/OPLIN4cast
   <http://lists.oplin.org/mailman/listinfo/OPLIN4cast>.

© 2018 Ohio Public Library Information Network
[image: Find us on Slideshare] <http://www.slideshare.net/oplin>  [image:
Find us on Facebook] <http://www.facebook.com/oplin.org>  [image: Find us
on Google+] <https://plus.google.com/107751358238995507967>  [image: Find
us on Twitter] <http://www.twitter.com/oplin>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.oplin.org/pipermail/oplin4cast/attachments/20180523/991b5de1/attachment.html>

More information about the OPLIN4cast mailing list