The following Guest Post was submitted by one of my readers, Robert Widner, a family law attorney in Dallas, Texas:
Siri makes a fantastic personal assistant. She can help you navigate your phone, manage your calendar, answer your questions, and can even tell a great bedtime story if you ask her nicely. She’s become so helpful, hackers now say she’ll roll out the welcome mat for anyone under the right circumstances. The Network and Information Security Agency (ANSSI) from France uncovered this nasty little glitch, and they’ve proven that Siri will respond to silent commands from anyone within a 16-foot radius.
Hackers Can Send Siri Messages via Electromagnetic Waves
It requires a bit of finesse to pull the trick off, but researchers (aka professional hackers working for the French government), have discovered a way to silently talk to iOS and Android digital assistants. It turns out that headphones with an integrated microphone work as an antenna can pull in electromagnetic waves, which are then converted into electrical signals that the digital assistant recognizes as sound. Quite simply, standard Apple earbuds plugged into your iPhone, are all a hacker needs to send silent voice commands to your phone.
Once Inside, Hackers Can Do Just About Anything
In all fairness, it’s easy to see the hackers in action, just by watching your screen. However, many of us stash our phones in briefcases during meetings, or place the device upside down on a table during a discussion. In a public place, such as a restaurant, or even a courtroom, hackers can easily search for available mobile devices to connect with. Dozens of people in any given space could be vulnerable to attack. Hackers can gain access to contact lists, send texts, make calls, compose emails, or even open up websites with malicious codes and viruses. Realistically, anything that can be done using the digital assistant can be done by hackers, in total silence, from as much as 16 feet away.
The Equipment Needed Can Be Discreetly Hidden
Last summer, the research was presented at the Hack in Paris conference, though it received almost no press. Very little equipment is needed for hackers to pull the trick off, and it can be discreetly concealed. This makes it difficult to tell who the culprit is, even if you detect that your phone is being hacked while someone is actively accessing it just a few feet away. A laptop with GNU Radio, an open-source software, and a USRP software-defined radio, combined with an antenna and amplifier, are all that’s needed to access someone’s phone. If the hackers can get within 16 feet of you, the equipment can fit inside a backpack. However, researchers have noted that the distance can be much greater with an equipment upgrade. Though it would be more difficult to obscure, it’s plausible that hackers could sit in a vehicle outside a restaurant or other venue, prying into the phones of diners.
Apple has Been Notified, But there’s No Fix Yet
Researchers notified Apple and Google, and also gave the companies suggestions on ways to correct defect. They recommended better shielding within headphones, or perhaps software upgrades with the option for people to create customized code words to wake digital assistants. Voice recognition could also thwart would-be hackers. While the obvious temporary fix seems to be to turn off the digital assistant when not in use, researchers noted that many headphones have a button that turns the service back on. This, too, could be easily manipulated with electrical pulses. Until the companies respond with a real repair, the only way to protect phones and their data is to remove the headphones from the jack when they’re not being used.
It was only a few weeks ago that another Siri exploit was detected. Anyone could access the contacts and photos on an Apple device by waking Siri up after a few incorrect passcode attempts, using the clock app, and sharing. From the messaging app, the contacts could be searched, or a photo could be shared, allowing anyone free access to view all the stored photos in less than 30 seconds. When Apple heard about this, they corrected it right away, so iPhones, iPods, and iPads running iOS 9.0.1 are safe. However, the number of vulnerabilities being seen in digital assistants is cause for concern. For now, the safest thing might be to go sans headphones, and turn these helpful assistants off, to stop them from being helpful to hackers.
About the Author: Robert Widner is a family law attorney based out of Dallas Texas with over 16 years experience.