Laser pointers are now able to deceive smart speakers, tablets, and phones into making them follow a voice command to make a purchase or open a door from hundreds of feet away. The University of Michigan and the Tokyo University researchers publicized that they can take over Apple Siri, Amazon Alexa, and Google Assistant devices by illuminating a laser pointer or flashlight on a microphone. A researcher, Daniel Genkin, was also a member of the team that discovered the Spectre CPU and Meltdown vulnerabilities. The group issued a paper describing the light defects after testing for seven months. By focusing the laser with a telephoto lens, the researchers were able to hijack smart speakers from 230-350 feet.
Researchers explained that the inside of the microphone of the device has a small diaphragm that travels when it is struck by sound. The laser can replicate the motion and transform it into an electrical signal that the device is able to understand. Researchers said it’s easy to take over Google Home to open a garage door, and they can easily make an online purchase, open a door protected by a smart lock, or even use the same method to connect to a remotely unlocked car powered by a voice-AI device. Researchers have informed Ford, Apple, Google, Amazon, and Tesla about this issue. The team said that they used the technology to hijack Echo Plus / Dot/Show, Google Home / Nest, Fire Cube TV, iPhone XR, Google Pixel 2 devices, Facebook Portal Mini, EchoBee 4, 6th Gen iPad, and Samsung Galaxy S9.
This issue is far from the first batch of digital assistant vulnerabilities discovered by security researchers. Researchers at Zhejiang University in China found that Alexa, Siri, and other voice assistants can be operated through commands sent at ultrasonic frequencies. At the same time, a team from the California University at Berkeley discovered that they could operate smart speakers by implanting commands that were inaudible to people directly in to music or voice recordings.