Voice assistants were supposed to make our life easier. At some points this is true, but both Siri and Google Assistant are susceptible to hacking. There is nothing stopping a hacker who hacked your voice assistant from stealing all personal files and data.
A group of US-Chinese developers launched an attack called SurfingAttack, which uses ultrasonic waves to launch Siri, Google Assistant and Bixby (it does not work in Russia). The team was able to request personal information and make phone calls without physical access to the phone.
Last year, the developers proved that ultrasonic waves and lasers can launch voice assistants under certain conditions (the range is no more than 5-10 meters, i.e. the hacker must be in the victim's field of vision). SurfingAttack takes a much more sophisticated approach where burglary equipment is placed under a table in public places (cafes, bars, restaurants, supermarkets).
When the device is nearby, a round piezoelectric disc worth 300 rubles (for aliexpress) sends commands to the phone. He can use a trigger phrase to wake up the assistant (“Okay Google”) and then ask for information or initiate calls.
The team used a laptop with text-to-speech software to send the required commands to the jailbroken smartphone via Wi-Fi or Bluetooth. The disk was only a meter away from the phone, but the tabletop hides the equipment from the target (the hacking device can be stuck to the bottom of the tabletop with tape). In addition, ultrasonic waves are outside the range of human hearing.
Hackers could take photos, read text messages, and make calls to any phone number – an attacker could use this to read two-factor authentication codes or to call premium rates.
The victim may not even be aware that her phone is working by itself unless she looks at the screen. A hacker can use the microphone in your phone to record your conversation from a distance. To do this, he sends a command to Google Assistant – turn on the microphone and start recording. Then the audio recording is sent by email or placed in the cloud storage.
SurfingAttack works on virtually all devices with voice assistant enabled. The team tested phones from Apple, Google, Samsung, Motorola, Xiaomi and Huawei – 17 models in total, 15 of which were vulnerable. The best way to protect yourself from such ultrasonic attacks is to turn off your phone or disable your voice assistant.