Researchers have apparently found a way to hack assistants such as Alexa, Google Assistant, and Siri, as well as some smartphones, by simply pointing a laser. The hack dubbed as Light Commands, allows attackers to take full control over many popular voice-controlled devices by targeting the device’s microphone with lasers.
Takeshi Sugawara, one of the lead researchers of the study, explained that microphones in smart devices convert sound into electrical signals, which sends commands to the device. He added that microphones react the same way to a focused light pointed at them, just like they respond to sound commands.
“It’s possible to make microphones respond to light as if it were sound. This means that anything that acts on sound commands will act on light commands,” Sugawara told Wired in a statement.
As many voice-controlled devices are not protected by a PIN or password, attackers just need to be in the device’s line of sight to exploit this vulnerability. In a research paper published on Monday, experts revealed how they could easily hack smart speakers, tablets, and even phones by simply pointing a laser` through a window. They added that the vulnerability could be exploited by hackers to operate smart switches at homes or offices, as well as buy things online without being detected.
“Once an attacker gains control over a voice assistant a number of other systems could be open to their manipulation. In the worst cases, this could mean dangerous access to e-commerce accounts, credit cards, and even any connected medical devices the user has linked to their assistant,” says a breakdown of the study on the University of Michigan’s website.
Experts spent nearly seven months testing this vulnerability on popular voice-controlled devices powered by Siri, Alexa, and Google Assistant. These include Google Home, Echo Dot, Fire Cube, Google Pixel, Samsung Galaxy, iPhone, and iPad. They were able to successfully exploit the flaw using ordinary laser pointers, laser drivers, and a telephoto lens. In some cases, even a souped-up flashlight did the trick.
Researchers also added that they’ve shared their findings of the exploit with Google, Facebook, Amazon, Tesla, as well as Ford.
