- Hack can embed hidden voice commands in YouTube videos
- Tests shows Android 10ft away from speaker playing malicious commands
- Commands sound demonic and are rarely understood by humans
- Can make phones calls, take pictures, transfer money and more
- Can make assistant download malware to control entire smartphone
It may sound like YouTube has been possessed, but the demonic sounds coming from the clip below are voice commands to access a smartphone’s virtual assistant.
Researchers have found an attack that uses ‘hidden voice commands’ embedded within clips that lets hackers prompt the assistant to perform a number of tasks.
This attack lets hackers make phone calls, use Venmo to transfer money or worse, download malware giving cyberthieves complete control of the handset.
Scroll down for videos
In order for you to become a victim, you just have to listen to a malicious YouTube clip via your smartphone or have it nearby – researchers placed the device 10.1 feet away from the speakers and it was hacked.
And when successful, the hacker can take control of your phone by making phones call, using Venmo to transfer money or access other personal information, reports Vocativ.
‘Voice interfaces are becoming more ubiquitous and are now the primary input method for many devices,’ the researchers wrote.
‘We explore in this paper how they can be attacked with hidden voice commands that are unintelligible to human listeners but which are interpreted as commands by devices.’
Another instance, which may be more damaging, would let cybertheives open websites and download malware – letting them have full control of the device.
In order for you to become a victim, you just have to listen to a malicious YouTube clip via your smartphone or have it nearby – researchers placed the device 10.1 feet away from the speakers and it was hacked
‘So a possible scenario could be that a million people watch a kitten video, and 10,000 of them have their phones nearby and 5,000 of those phones obey the attacker’s voice commands and load a URL with malware on it,’ Sherr says.
‘Then you have 5,000 smartphones under an attacker’s control.’
The team used their knowledge about how speech recognition systems work to construct audio recordings that can be understood as speech by computers but lack the necessary resolution for human comprehension.
‘We learned that if you remove those parts and keep everything else, you get something that a computer can still understand but the human brain cannot,’ Sherr explains.
During their work, the team discovered that it is easy to change voice commands in a way that are nearly unrecognizable by humans, but still prompt the phone to do a task.
When successful, the hacker can take control of your phone by making phones call, using Venmo to transfer money or access other personal information. Cybertheives can also open websites and download malware – letting them have full control of the device
The results were condensing the words into a demonic growl.
‘Ok Google, Open XKCD.com,’ the voice says, and a nearby phone opens that URL.
And humans in the study could only understand ‘Ok Google’ 20 percent of the time, whereas the Android device in the experimental video executed the command 95 percent of the time.
The team also offered some solutions’
‘We then evaluate several defenses, including notifying the user when a voice command is accepted; a verbal challenge-response protocol; and a machine learning approach that can detect our attacks with 99.8% accuracy.’