Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

Hidden Voice Commands in YouTube Videos Can Hack Your Smartphone

July 12, 2016

Just when you think you've seen it all . . . hat tip to Gregory Bufithis who pointed out that researchers have discovered that a series of distorted voice commands surreptitiously hidden in YouTube videos can force unprotected Android or iOS smartphones to carry out malicious operations. Controlling smartphones with voice commands was done last year, when two security researchers from French agency ANSSI used radio waves to send hidden commands to handsets running Siri or Google Now. That attack was possible only if the phone had its headphones plugged in.

Now, a team of seven researchers from the University of California, Berkeley, and Georgetown University have devised a variation of this attack that uses mangled voice commands hidden in YouTube videos. A user can view the video from their PC, laptop, smart TV, tablet, or another smartphone. Once the target mobile picks up the mangled voices, the sound filtering features included with Siri or Google Now will clean out the sounds and execute the commands.

Researchers have recorded a video of their attack which shows that some of the mangled voice commands are easy to discern by a human paying enough attention, but some of the commands are not (the white-box model). There are ways to stop the attack, but it can also execute before the phone owner understands what is happening. The type of hidden commands embedded in such videos can be as innocent as ordering a simple Google search to instructions to download and install malware, eventually allowing the attacker to take full control of the device.

Researchers argue that a series of defenses can be put in place, such as notifying the user when voice commands are accepted or by adding a verbal challenge-response system.

There are a number of such videos available, but note well, disable your phone's voice commands input before viewing them!

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
http://www.senseient.com
http://twitter.com/sharonnelsonesq
www.linkedin.com/in/sharondnelson

Sharon D. Nelson, Esq.
President

Subscribe in a Reader

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Ride the Lightning

Hidden Voice Commands in YouTube Videos Can Hack Your Smartphone

Subscribe for More!

Recent Posts

Listen to the Podcast

Disclaimer