Hi Guys,
I hope you are well 🙂
A new type of attack called the “Near-Ultrasound Inaudible Trojan” (NUIT) can silently take control of your voice-activated devices, including smartphones, smart speakers, and other IoT devices. NUIT attacks use near-ultrasound waves that human ears cannot hear but are picked up by microphones in smart devices. This allows the attacker to send malicious commands to the devices with minimal risk of exposure, such as;
- Unlocking doors or disabling home alarms connected to the device.
- Making phone calls or sending text messages to a specific number.
- Adding or deleting contacts.
- Playing or recording audio and video.
- Activating the device’s camera or microphone without the user’s knowledge.
- Controlling other connected devices, such as smart TVs or thermostats.
- Stealing personal information, such as passwords or credit card details, stored on the device.
- Dropping malware onto the device.
The researchers behind the attack have tested 17 popular devices that run voice assistants and found that they can all be owned using any voice, including robot-generated voices, except for Apple Siri, which requires the attacker to emulate or steal the victim’s voice.
The full details of the NUIT attack will be presented in the 32nd USENIX Security Symposium in August 2023. You can also read the research paper and see some cool demonstations, by going HERE.
How can you stay safe?
- Do not have any voice assistants in your home. These devices are always listening to you. In theory, there only listen for commands. Still, we have seen on many occasions that attackers can break into these and take control of very sensitive information, and as we’ve seen in this most recent attack, they can even unlock the doors to your house or office. The best way to stay safe is not to have these devices in your home. You do not need them. They are just introducing another attack vector you do not need. If you still want to go down the voice assistant road, then you should also take note of the following:
- Activate additional security methods, such as vocal fingerprint authentication, on your smart devices if available.
Here’s how to enable it:
- Open the device settings app on your device.
- Look for the “Security” or “Privacy” section.
- Find the “Voice Recognition” or “Voice Authentication” option.
- Follow the prompts to set up your vocal fingerprint by speaking a passphrase or a set of specific words.
- Save your vocal fingerprint.
- When you want to use your device, say the passphrase or specific words to authenticate yourself and unlock your device.
Note: These steps to enable vocal fingerprint authentication may differ depending on the device and operating system. Some devices may not support this feature, so check your device documentation or contact the device manufacturer for more information.
- Monitor your devices closely for microphone activations, which usually have on-screen indicators on iOS and Android smartphones.
- Use earphones instead of speakers to listen to something or broadcast sound to protect against NUIT or similar attacks.
- Be careful when opening links or playing media on websites and avoid visiting untrusted websites.
- Always keep your devices and software updated to protect against known vulnerabilities.
Please let me know if you have any questions or if you need help.
Sending you the best,
Max 🙂