Hi Guys,
New research has proved that your devices can be hacked by a laser from only 110 meters away. The ‘Light Command’ attack uses a laser light beam to hack voice activation systems like Alexa, Siri or any voice command software. No physical interaction is required.
Essentially, anyone with a laser, within 110m from the device (approximately the size of a football pitch) or less can send a command to your device. You won’t hear the command, it is completely inaudible, as it is being transferred by light.
It is easy and cheap to do, simple laser pointers are easily available online for as little as 14 dollars. An attacker could increase their capabilities by using a telescopic lens to target the device microphone and project the laser.
How does it work:
Smart devices, particularly ones that recognise voice commands, use a special microphone that converts sound into electrical signals to perform the command. These microphones are called microelectro-mechanical systems (MEMS) and its has been proved that they also react and respond to light too.
Example of a Real LIfe Attack:
An attacker could use the Light Command attack by standing outside your home/car/office and point a laser at your device to initiate a command. They could request doors to be unlocked on your home or vehicle, remotely start a vehicle, make online purchases, and access anything that Alexa/Siri etc can.
Devices Tested:
It is most likely that this type of attack is possible on any device with a MEMS microphone. This type of attack/hack was tested and successful on the following devices:
Google Assistant
Google Pixel 2
Samsung Galaxy S9
Alexa
Google Nest Cam IQ
Echo
iPhone XR
Siri
How to protect your device:
The most obvious answer is to ensure your devices are not visible. Move devices and smart home assistants out of view, away from windows or any outside line of sight. When your mobile devices are unattended, leave them somewhere safe, out of sight. Also covering the microphone would stop the laser accessing the device and would qualify as another preventative measure
From a technical perspective there are some steps you can take to mitigate your risk of attack.
It will depend on the security settings of the device but some offer additional layers of authentication like having to answer random questions after each command.
Google, Facebook and the other manufacturers have been questioned about this and don’t have any solid answers other than that they are working on a solution. So in the mean-time, close your curtains!