Rigged YouTube videos can use Siri and Google Now to hijack your phone
nakedsecurity.sophos.comIn the old days, kids TV commercials would tell the kids to hold up the phone to the TV, and then play DTMF tones to dial a 1-900 number. For example: http://articles.latimes.com/1991-04-21/news/mn-860_1_horror-...
Today, they can probably do the same via "Siri" or "OK Google" ... ?
Or the more modern version of Xbox live trolling when people name themselves Xboxoff or xboxinternet and wait for some one to yell their name.
The Siri thing isn't new tho you used to be able to shout at Siri trough some ones phone when you were on speaker but I think Apple implemented some voice recognition restrictions.
I don't understand why anyone would leave "Hey Siri" turned on. I do use Siri occasionally, but no result of any Siri query is of any value to me while my phone is in my pocket. If I'm going to take it out of my pocket anyway, there's no additional friction in pressing the home button.
Car. Nightstand. Kitchen counter while you cook/wash dishes. There's a myriad situations where you want to use your device hands-free. In fact, it's the driver behind an entire new product category (see Amazon Echo, Google Home, etc.).
>it's the driver behind an entire new product category
Yeah.. the "consumer as product" category
"Hey Siri" feature is great! It has totally changed the way I interact with my phone. I use it everyday .. some of the commands are 1. Hey Siri what is the time ? (When i'm still in bed and my eyes are closed) 2. turn on all alarms. (yes I have multiple alarms to wake me up) 3. turn off all alarms. 4. Hey siri what song is this ? If i'm too lazy to open up shazam 5. Hey Siri remind me to do abc at 7am ...
Google Now is fairly easy to train to the user. "OK Google" doesn't open every phone around me.
Do people find Sri and Google Now actually useful? I hardly ever find a use case for it, even when I am driving. I just think people should disable Sri and Google Now by default, and only activate after pressing a button.
Yes, I personally find Siri very useful. I almost always interact with Siri through my watch and I do things like start a cooking timer while my hands are covered in raw chicken juice, set a reminder to do something tomorrow, or reply to a text via voice while driving.
I find it useful for quick conversions, finding my phone in a dark room, and it's often easier than scrolling through my contact book.
Siri on my phone has been activated multiple times by the Siri TV commercials.
Whoa, I just took security with David Wagner last semester and Nicolas/Pratyush were some of my TAs. Academia, where cool stuff is always happening under your nose!
Do phones not filter out/ignore any sound being emitted from the speaker? Seems like that shouldn't be too hard to do.
Can you really distinguish sound emitted from the speaker from someone with a hoarse voice? Furthermore, what about medium? Traveling different medium should be considered.
Well, the device knows exactly what signal it's putting out through the speaker, so it can predict what the microphone will pick up. It doesn't know what someone with a hoarse voice is about to say.
That attack described in the video isn't something the phone is producing and picking up (most phones already ignore what they playback), but rather a sound played by a laptop picked up by the phone.
And further, the attack described is a sentence that doesn't sound to a human like "Ok Google" or "Hey Siri", or whatever
Okay, that's what I didn't understand. Thanks.
I'm completely making this up;
I'd guess most speaker generated audio would be from a compressed source. Audio compression generally cuts off frequencies that we can not hear. When we speak though, we must be generating a lot of inaudible frequencies. It could be determined by checking if those exist or not.
It's definitely possible from a technical perspective. It's very similar to the way echo cancellation works on phones already.
Since the output is known, similar input can then be stripped. This only works when both the output of the speaker and input of the microphone are known.
This can't be done to determine whether another speaker, such as a TV, generated the output.
Visual aid on echo cancellation: http://i.imgur.com/m2LSIz9.png
Wouldn't that be similar to the tech that removes echoing from voice/video chatting when someone isn't using headphones? I wonder how intense that kind of processing is.
You can do it trivially with a bit of hardware, no processing needed.
At least on the iPhone, Siri is only activated by the "Hey Siri" command if your phone is plugged in to charge.
Only on older hardware. Anything with an A9/M9 (iPhones 6S and SE, iPads Pro) works on battery power as well.
I got around this on my iPhone6 using a battery case :) Nowadays, I just leave it off, though.
Interesting that they don't have a demo video for Siri/iOS