Hidden Voice Commands Could Attack Your Smartphone

John Connor

Lifer
Nov 30, 2012
22,840
617
121
July 1, 2016 – Devices such as a smartphone can be attacked through hidden voice commands that are not understandable to humans, according to a new study by Georgetown and University of California, Berkeley, computer scientists.

A paper describing how this can happen will be presented at the prestigious USENIX Security Symposium taking place in Austin, Texas, in August.

-snip-

“So a possible scenario could be that a million people watch a kitten video, and 10,000 of them have their phones nearby and 5,000 of those phones obey the attacker’s voice commands and load a URL with malware on it,” Sherr says. “Then you have 5,000 smartphones under an attacker’s control.”

https://www.georgetown.edu/hidden-voice-commands-sherr

Very interesting concept. I imagine in order to combat this you would have to either have voice print analysis for your voice only or give a prompt that tells you to approve the voice command.
 

Ken g6

Programming Moderator, Elite Member
Moderator
Dec 11, 1999
16,218
3,796
75
This is why people should be able to set their own wake words. Instead of "Alexa", or "OK Google", for instance, I'd like "Ennesby".
 

Elixer

Lifer
May 7, 2002
10,376
762
126
This reminds me of someone who was talking about using ultra high frequency tones that can be used to do various things on phones.
If phone makers are actually doing this, that is up for debate.
 

Mike64

Platinum Member
Apr 22, 2011
2,108
101
91
This reminds me of someone who was talking about using ultra high frequency tones that can be used to do various things on phones.
If phone makers are actually doing this, that is up for debate.
Maybe things are different in the digital age, but the analog phone system didn't transmit "ultra-high" frequencies at all (as I recall, though maybe incorrectly, even not-so-ultra higher frequencies were in fact filtered completely out of the system, at least anywhere near the consumer-end of the system.) Before the phone systems went digital though, there were indeed all sorts of interesting control functions that the "original hackers" (aka phone phreaks) could commandeer with sufficient knowledge of the systems.

Apart from making use of a few of the most superficial, publicized "cracks", as it were, I never got into any of that stuff myself, but it was pretty widely known that there was a lot one could do with DTMF tones alone - stuff like "tapping" into regular (non-specially secured) subscriber lines "silently", through the backend, etc. But there were other relevant frequencies too (not to mention the A-D DTMF keys that were never included on consumer handsets.) I'm just a year or so too young to have snagged one of those little plastic whistles that gave the (in)famous "Captain Crunch" his nom de guerre when he discovered (or at least publicized the fact) that they coincidentally happened to produce the fundamental "initiate control sequence" frequency used by the various Bell systems at the time. By the time I read about them at the ripe old age of about 8, they'd been pulled from the cereal boxes for at least 6 months ... :(
 
Last edited:

AbbyGirl

Junior Member
Jan 30, 2017
4
0
6
Really interesting, this is why I worry about the whole home automation and smart home concept. Seriously, anything connected to the internet or any kind of network can be hacked. Some things wouldn't be a big deal, like if someone want to start my roomba for me so I have a clean floor when I come home great! But on the other hand, automated locks? Seriously, all it would take is someone to hack into your phone and they can unlock your house and steal what they want, and no forced entry!
 

Red Squirrel

No Lifer
May 24, 2003
67,194
12,025
126
www.anyf.ca
I heard about the fact that some sites like FB, and TVs and other devices could use high pitched sounds to communicate between devices. Ex: a TV commercial could emit a high pitch sound that is picked up by FB so it can show you ads on whatever you're watching. But anything in the range that a speaker can make you'd probably hear. Most speakers seem to not do well past 15-18khz and I can hear that fine. So if they did do this, I'd probably notice it. Now if they can manage to push out a bit past 20 khz, then maybe they could get away with it.
 

John Connor

Lifer
Nov 30, 2012
22,840
617
121
I heard about the fact that some sites like FB, and TVs and other devices could use high pitched sounds to communicate between devices. Ex: a TV commercial could emit a high pitch sound that is picked up by FB so it can show you ads on whatever you're watching.


I remember that now! Yeah, I wonder if they do this now.
 

John Connor

Lifer
Nov 30, 2012
22,840
617
121
Speaking of sending data through audio. This is how dial-up worked and faxes.

-Redacted-
 
Last edited:

Mike64

Platinum Member
Apr 22, 2011
2,108
101
91
Speaking of sending data through audio. This is how dial-up worked and faxes.
But fax and modem frequencies were spec'ed squarely within voice-frequency range (> 1kHz, < 3 kHz) precisely in order to transmit reliably over the old analog phone lines…
 

John Connor

Lifer
Nov 30, 2012
22,840
617
121
The point I was making is that I can take digital audio samples, run them though a program and decode it. P25, EDACS, PSK, etc, all can be demodulated by the captured audio. Granted a baseline tap to the receiver may be need depending on what you are trying to decode.
 

Mike64

Platinum Member
Apr 22, 2011
2,108
101
91
The point I was making is that I can take digital audio samples, run them though a program and decode it. P25, EDACS, PSK, etc, all can be demodulated by the captured audio. Granted a baseline tap to the receiver may be need depending on what you are trying to decode.
Oh, yeah, sure, the basic concept is really pretty simple... It's implementing it in a surreptitious but reliably functional way with existing tech that makes its practical application unlikely (for now, at least...) And on the whole, it seems to me it would be a lot easier to do over RF, for commercial uses, anyway. All these devices have radios that work just fine as is already, and you'd have to go looking for the transmissions with equipment most people don't have to find them, even before you start worrying about decoding them...
 
Last edited:

Red Squirrel

No Lifer
May 24, 2003
67,194
12,025
126
www.anyf.ca
Caller ID uses audio frequencies as well. When the phone is ringing it also sends the caller ID info. If you pick up the phone at the right time you'll actually hear it.

You can also dial a number by simply playing the tones over the phone handset. I've done this before for picky IVRs that don't give you enough time to input a really long number.
 

bruceb

Diamond Member
Aug 20, 2004
8,874
111
106
He was referring to using the 2600HZ tone to hijack the long distance trunks. You could then make a call using a special 2 out of 6 tone encoder.
It was known as Blue Boxing and ever since the introduction of SS7 back in early 1990 it is now an obsolete system, except in a few countries that have not upgraded. https://en.wikipedia.org/wiki/Blue_box
 

Red Squirrel

No Lifer
May 24, 2003
67,194
12,025
126
www.anyf.ca
Interestingly phone hacking still happens but it's not the same way as before. Basically people find a flaw in an IVR/voice mail system and go to a voice mail, and from the voice mail they can get an outside line and then make phone calls. Interestingly it seems to be very short duration phone calls like 10 seconds, so I presume it's being used to send bits of data. If you watch the switch you can see the line getting a trunk and establishing a call, then disconnecting shortly. We usually just add toll deny and the customer is notified in the morning.

I also ended up on the administrative section of an IVR once. No idea how I got there, but it was basically asking me to configure the PBX through some voice commands. I must have happen to hit the right sequence of digits or something. I don't think it was suppose to be that easy to get into.
 

bruceb

Diamond Member
Aug 20, 2004
8,874
111
106
With the old 2600Hz hack, you would dial into a toll free line, so if the call was from a pay phone, it would cost nothing. You would never try to hack the long lines trunk from your home or it could be tracked.
 

Red Squirrel

No Lifer
May 24, 2003
67,194
12,025
126
www.anyf.ca
Ah yes, is that what the Capt. Crunch whistle was for? That was before my time but do recall hearing about it. When you put a coin in a pay phone the phone would send a tone to the switch to activate the line, IIRC but the whistle happened to generate the right frequency. Now it works a bit differently, in that the phone itself won't even provide you any connectivity to the switch so you can't input any kind of tones on the handset until you paid. I imagine if you gain access to the actual line there's probably stuff you could still do.
 

bruceb

Diamond Member
Aug 20, 2004
8,874
111
106
Yes, that is how it used to work. And on newer telephone switches and tandem offices, the signalling is now SS7 type, which is digital signalling over a line that has no connection to the voice path. It is totally out-of-band so you can not get into it from the voice pathway.
 

Mike64

Platinum Member
Apr 22, 2011
2,108
101
91
Ah yes, is that what the Capt. Crunch whistle was for? That was before my time but do recall hearing about it. When you put a coin in a pay phone the phone would send a tone to the switch to activate the line, IIRC but the whistle happened to generate the right frequency. Now it works a bit differently, in that the phone itself won't even provide you any connectivity to the switch so you can't input any kind of tones on the handset until you paid. I imagine if you gain access to the actual line there's probably stuff you could still do.
The 2600Hz whistle and coin sounds were totally different phenomena, though related in the sense that basically all control functions on the analog system were based on audible sounds that could be "introduced" into the system from pretty much any handset (I think). And while I don't remember exactly what the coin sounds actually were, I do know they predated DTMF tones, so were easier to reproduce with fairly simple circuitry and, if I recall correctly, could in fact be "spoofed" with only moderate-fidelity tape recordings acoustically "coupled" to the handsets.

I frankly have no idea how the "modern" system works, but since digital controls allows so much more flexibility and user-opaqueness (so to speak), I'm sure it's much more sophisticated than the old one. (Oops, I see that bruceb already addressed that last point more accurately and succinctly than I could have. Until I read his post, I had even forgotten that the control channel was totally isolated from the voice channel on the newer systems.)
 
Last edited:

John Connor

Lifer
Nov 30, 2012
22,840
617
121
And while I don't remember exactly what the coin sounds actually were, I do know they predated DTMF tones


I think you are referring to key pulse or pulse dialing.

I was born in a unique time to use pulse dialing from a rotary phone and also DTMF dialing. Also used a record player on up to cassette. And I'm 36. The 80's were awesome!
 

Red Squirrel

No Lifer
May 24, 2003
67,194
12,025
126
www.anyf.ca
For pay phones I think the control channel would be on the same line though, as they would not have SS7 links going to pay phones. I think the security is both at the phone itself and the switch though. There's a feature on the switch that you set for pay phones and I imagine it's a standard that the pay phone itself has to support. Ex: the phone handset won't let you introduce anything to the line until the switch enables it after some kind of hand shake indicating you put in money. If ever I get the chance I need to ask someone at work how those operate now, I work for the phone company I should probably know that. :p I don't really deal much with the programming side of things though but always neat to know how stuff works.