Security News Hidden Voice Commands Embedded in YouTube Videos Can Hijack Your Smartphone

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
A series of distorted voice commands surreptitiously hidden in YouTube videos can force unprotected Android or iOS smartphones to carry out malicious operations, researchers have discovered.

Controlling smartphones with voice commands was already done last year when two security researchers from French agency ANSSI have used radio waves to send hidden commands to smartphones running Siri or Google Now. The attack was possible only if the phone had its headphones plugged in.

YouTube attack is simpler to carry out
A team of seven researchers from the University of California, Berkeley, and Georgetown University has devised a variation of this attack that uses mangled voice commands hidden in YouTube videos.

The attack works when the user is viewing a tainted YouTube video that contains hidden commands. He can view the video from his nearby PC, laptop, smart TV, tablet, or another smartphone.

Once the target mobile picks up the mangled voices, the sound filtering features included with Siri or Google Now will clean out the sounds and execute the commands.
Researchers have recorded a video of their attack, embedded below, which shows that some of the mangled voice commands are easy to pick up by a human paying enough attention, but some of the commands are not (the white-box model).

Attacks can range from pranks to malware distribution
The attack can be stopped, but it can also execute before the phone owner understands what is really happening.

The type of hidden commands embedded in such videos range from simple Google searches to instructions to download and install malware, eventually allowing the attacker to take full control of the device.

Researchers argue that a series of defenses can be put in place, such as notifying the user when voice commands are accepted or by adding a verbal challenge-response system.

Technical details about the attack are available in the researchers Hidden Voice Commands paper found on their project's official website. More YouTube demos are also included, but make sure to disable your phone's voice commands input first.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top