A few weeks ago we reported about how Security Research Labs (SRLabs), a hacking research group and think tank based in Germany, found that Alexa and Google Home expose users to phishing and eavesdropping due to third-party skills and apps. Now, another new study about the vulnerabilities of smart speakers, like Amazon Echo, Apple Home Pod, and Google Home, has been released. Researchers at the University of Michigan and Japan’s University of Electro-Communications found that you can hack smart speakers with vibrating light.
Researchers could stand hundreds of feet away from a smart speaker and manipulate the assistant’s artificial intelligence using a special laser encoded with commands. For example, a laser could be encoded with information that would command the assistant to unlock your front door or order something through your Amazon account. The encoding makes the laser vibrate in a way that the smart speaker confuses for a human voice. The components to build this type of hacking device are readily available to the public and to put the whole thing together can cost less than $400. This makes the hack easily available to criminals.
Even though there are features in place to stop this sort of hacking on most smart speakers, the researchers were able to get around most security features like voice recognition, wake words, and pins.
“…We have discovered that while commands like ‘unlock front door’ for August locks or ‘disable alarm system’ for Ring alarms require PIN authentication, other commands such as ‘open the garage door’ using an assistant-enabled garage door opener generally do not require any authentication. Thus, even if one command is unavailable, the attacker can often achieve a similar goal by using other commands,” the researchers noted in their paper, entitled Light Commands: Laser-Based Audio Injection Attacks on Voice-Controllable Systems.
Researchers tried their laser hacking on a variety of devices, including smart speakers in cars. They found Facebook’s Portal Mini, Amazon Echo devices, Google Home, Google Nest Cam IQ, the iPhone XR, and the sixth-generation iPad among the vulnerable devices.
There have been no reports of anyone using this for of hacking yet, but the study and others like to show how vulnerable our smart technology can be. Hopefully, the studies will put pressure on manufactures to find new ways to protect consumers from device hacking.