Secret commands in online videos could hack your smartphone

Secret voice commands could hack your smartphone
Secret voice commands could hack your smartphone

You may think watching videos on your phone is a harmless way to pass time, but watch out: Newly discovered voice commands could be hidden inside those videos to hack your smartphone through voice recognition.

To an untrained ear, the message may seem like noise, but for smartphone voice assistants, the message is clear.

"[The command could be in] some popular YouTube video that has this strange noise in the background that a human being would just dismiss as an oddity, but that at the same time that noise could be controlling a cellphone that just happens to be located next to a computer," said Micah Sherr, an associate professor in Georgetown University's Department of Computer Science.

Sherr, along with other researchers at Georgetown and University of California, Berkeley discovered the vulnerability.

"We wanted to look at … is it possible to issue commands that could be understood by these computers, but not by a human being?" he said.

Secret commands could be hidden in popular online videos to hack nearby smartphones
Source: CNBC Video

The answer was yes.

"Because of the differences in how computers understand speech and how the human brain understands speech, we're able to construct sounds that are understood as human speech only by computers, but not by a human brain," Sherr explained.

Sherr demonstrated the technology for CNBC. He played an audio clip that was reminiscent of Darth Vader and his Android phone opened up Facebook.

Micah Sherr, an associate professor in Georgetown University’s Department of Computer Science, demonstrates how secret voice commands could work.
Source: CNBC Video

"It heard … the command, 'Open Facebook.' And that's what it did," he said.

While opening Facebook is not going to hack your smartphone, the technology can be used with more dangerous intentions.

"They can cause your phone to open a website, a malicious website that has some malicious software on there that runs on your phone, takes over your phone," Sherr said.

The commands work because of voice recognition systems that are always listening for commands. While the researchers used Google Now, Sherr believes it would also work with systems like Apple's Siri and Amazon Echo.

"We take privacy and security very seriously at Amazon, but we don't discuss details about security features, and I wouldn't speculate on hypothetical situations," Amazon spokeswomen Rachel Hass said in an e-mail.

A Google spokesman said in an e-mail, "We're aware of the researchers' findings and appreciate their work to make all speech recognition software safer. We offer users the option — by saying 'OK Google' three separate times — to train their Android device to respond only when it recognizes their voice. This helps prevent commands from being activated by other users or background noise."

Since Apple was not part of the researcher's demo, it declined comment.

The research team acknowledges that as far as they know hackers have yet to use the technique, but they wanted to prove it could happen so device manufacturers and consumers would be aware.

Business executives could especially be at risk, according to Fahmida Rashid, a security writer for InfoWorld.

"If you have confidential conversations on your phone, it could be recording that and you don't know it," she said.

To protect yourself, Sherr recommends keeping voice software off when not in use. In addition, you can do voice authentication where you teach your phone to only respond to your voice.