Hacking Siri

With a simple “Hey, Siri,” iPhone users have a hands-free helper who can look up an address, call someone, or launch an application.  Android users speak to GoogleNow to check weather, traffic, or text by voice. Voice command technology makes hands-free use simple and easy, but it can leave the devices open to silent electronic warfare.  Researchers in France have demonstrated the ability to hijack phones, view contacts, post to social media, read and send emails, and even eavesdrop on conversations.  They call it “a new silent remote voice command injection technique.”


Speaking Without Saying a Word 

Someone as far away as 16 feet from you with little more than a laptop and an antenna could be talking to Siri without you even knowing.  Hackers can use voice-enabled technology to command a look at your personal data without saying a word.  This technique uses common, easily affordable equipment that fits in a backpack and uses electromagnetic waves to communicate with your phone using plugged-in headphones as their antenna.  Now imagine this: you are at a busy place… a theme park, mall, sporting event or airport.  Using this technique, many phones can be pinged at once looking for an easy in to camera pics and emails.  They could even be commanded to dial a call to a paid service or browse a URL with ads.  Siri can also be linked to Apple’s new HomeKit and connected to products at home like lights, locks, and shades.

French researchers Jose Lopes Esteves and Chaouki Kasmi demonstrated their findings this past summer at Hack in Paris Conference. For someone to physically break in to a phone, a fingerprint or PIN is necessary as well as the physical possession of the device.  With electromagnetic hacking, if headphones are plugged in and voice command software is enabled on the lock screen, anyone can easily access a treasure trove of sensitive data.   Unless a user is looking down at the phone and seeing it operate without their consent, they may never know it happened.  This hands-free technology is now being deployed more and more with smart watches, cars and desktop machines.


Don’t Be an Easy Target

Lopes Esteves and Kasmi presented several easy steps for users to make themselves less of a target:

-       Unplug headphones when not in use.

-       Use headphones without a mic.

-       Only enable voice commands when needed.

-       Personalize your keyword.

-       Enable as many “feedbacks” as possible to phone commands like sound and vibrations.

The group has also used their findings to inform Apple and Google of the gap in security.  Headphone cords with better shielding would prevent easy access to them using common (and easily transported and hidden) antennas.  Apple’s new iPhone 6s comes with a Siri that only recognizes the user’s voice.  Older models open with any uttering of the phrase “Hey Siri.”  The researchers urge voice-command tech users to disable the software on their lock screens; that way a PIN and or fingerprint would be necessary to wake Siri.  “It’s not mandatory to have an always-on voice interface,” says Kasmi. “It doesn’t make the phone more vulnerable, it just makes the attack less complex.”  The hacking gear can reverse engineer and spoof the electronic signal of a user pressing their headphone button to wake Siri.


French researchers presented a demonstration this summer hacking into smart phones using voice command technology.  They used common, affordable equipment and mimicked soundwaves to activate and control programs like Siri and GoogleNow.  This allows hackers access to sensitive information like contacts, emails, photos, social media accounts, and personal data.  Users can make themselves harder targets by disabling voice command programs from their phone lock screens and unplugging headphones when not in use.  Voice command technology is expanding to watches, cars and even controlling lights and door locks at home.


CIPP Exam Preparation:

In preparation for the Certified Information Privacy Professional/United States (CIPP/US) exam, a privacy professional should be comfortable with topics related to this post, including:

Information Management from a U.S. Perspective (I.C.)



Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>