If you’ve heard that French researchers have successfully hacked Siri and Google now, don’t worry too much. “Success” is most certainly a relative term.
While the researchers at government IT security agency ANSSI have demonstrated their ‘hack’ it’s barely more than a proof of concept. In this case the concept is that electromagnetic waves and a headphone cable could combine to create bogus audio signals and in turn commands.
The attack only works while the phone’s owner has a pair of headphones plugged in and where those headphones are microphone-enabled. In this situation the cable effectively acts as a receiving antenna, passing on the electromagnetic waves as a voice command.
The scope for using the attack is pretty limited: it would only really be of use against a victim who had the headphones plugged in but was paying little or no attention to what their phone was actually doing. That makes targeting a particular user for particular data extremely difficult.
Indeed, the researchers concede that the nearest they can come to a useful way to exploit this would be to go to a crowded location and beam out commands indiscriminately in the hope of controlling at least one phone, then set it to call a premium or international rate phone number that generates revenue for the attackers.
There’s also a big physical limitation: the researchers built the necessary equipment into a backpack and could only reach phones up to eight feet away. They say it would be possible to extend the range with bulkier equipment hidden in a car, but even then it would only reach around 16 feet.
Realistically the researchers aren’t claiming that their discovery uncovers a major risk of smartphone users getting “attacked” via this exploit. Instead their main practical point is to remind people of the convenience vs security trade-off that comes with having a phone set to accept voice commands even when a phone screen is locked.
[Image credit: Wired]