Hidden voice commands embedded in a YouTube video can trigger mobile devices to download malware and alter configuration settings, according to ZDNet.
A team made up of researchers from the University of California, Berkeley, and Georgetown University, have created a technique capable of compromising a mobile device via voice commands embedded into a YouTube video. The signal is imperceptible to viewers, but is able to trigger commands within a nearby device, whether a laptop, computer, smart TV, smartphone or tablet. On Apple systems, Siri receives the message and on Android systems, Google Now interprets the signal.
In attempting to warn of the risks inherent in increasingly ubiquitous voice interfaces, the researchers note how "an attacker uses the speech recognition system as an opaque oracle."
The incursion could enable attackers to issue instructions to any nearby mobile device to initiate a download of malware or adjust configuration settings, which could then lead to a compromise of the device and the possibility of surveillance.
A similar strategy was employed in October 2015 when a team at ANSSI, the French computer security agency, demonstrated a hack capable of controlling a mobile device from as far away as 16 feet. In that demonstration, radio commands were sent to the voice control systems used in both Apple and Google's personal assistants.
On their project page, the U.S. researchers demonstrating the YouTube hack provide some defenses, particularly alerting a user when a voice command is accepted, a verbal challenge-response protocol, and a machine-learning process capable of detecting the attacks.