Undetectable Commands for Apple’s Siri and Amazon’s Alexa Raise Serious Security Risks

Researchers in the U.S. and China have discovered ways to send hidden commands to digital assistants—including Apple’s Siri, Amazon’s Alexa, and Google’s Assistant—that could have massive security implications.

Over the last two years, researchers in China and the United States have begun demonstrating that they can send hidden commands that are undetectable to the human ear to Apple’s Siri, Amazon’s Alexa and Google’s Assistant. Inside university labs, the researchers have been able to secretly activate the artificial intelligence systems on smartphones and smart speakers, making them dial phone numbers or open websites. In the wrong hands, the technology could be used to unlock doorswire money or buy stuff online — simply with music playing over the radio.

This month, some of those Berkeley researchers published a research paper that went further, saying they could embed commands directly into recordings of music or spoken text. So while a human listener hears someone talking or an orchestra playing, Amazon’s Echo speaker might hear an instruction to add something to your shopping list.

“My assumption is that the malicious people already employ people to do what I do,” said Nicholas Carlini, a fifth-year Ph.D. student in computer security at U.C. Berkeley and one of the paper’s authors.

Last year, researchers at Princeton University and China’s Zhejiang University also found voice-activated devices could be issued orders using inaudible frequencies. Chinese researchers called the technique DolphinAttack.

 

Amazon told The New York Times it has taken steps to ensure its speaker is secure. Google said its platform has features that mitigate such commands. And Apple noted an iPhone or iPad must be unlocked before Siri will open an app.

Still, there are several examples of companies taking advantage of weaknesses in the devices, from Burger King’s Google Home commercial to South Park‘s stunt with Alexa.

And the number of devices in consumers’ homes is on the rise. Digital assistants have been among the hottest gifts of the past two holiday seasons. And Amazon, alone, is expected to sell $10 billion worth of the devices by 2020.

Source: NY Times and Fortune

Why It’s Hot

It seems like every week we are posting something else about Voice (Alexa, Google Home) and emerging capabilities or how brands are using them. As with any tech, there are concerns about how it will be used. I do wonder though if there’s something positive here, versus scary?

“Smart” Cities can be hacked

Last Friday at 11:40PM, Dallas’s city hurricane warning system sounded: 156 emergency sirens all at once. The alarms a total of 15 times, with each burst lasting 90 seconds, until the alarms fell silent around 1:20AM on Saturday morning.

“But as the New York Times reports, there was no hurricane coming—the sounds were triggered by a hacker who’d penetrated the system’s security measures. Few details have emerged about the hack, save for the fact that it’s thought to have been carried out locally and was very effective (technicians couldn’t stop the hacker, so they had to shut down the entire system to quiet the alarms).”

As cities and government entities rapidly adopt technologies and networks into day-to-day life and infrastructures, have they overlooked the potential shortfalls of a ubiquitous digital infrastructure?

In the same way that new buildings must meet baseline architectural requirements, perhaps the same minimums should be demanded of tech- and cyber- security.

Source: https://www.technologyreview.com/s/604124/smart-cities-could-be-crippled-by-dumb-security/

Hackers Remotely Shut Down a Jeep at 70 MPH

There are connected cars and then there are cars that can be ‘disconnected,’ at least from the driver.

In a somewhat on-the-edge experiment published this week, two well-known hackers tapped into a moving Jeep and remotely operated the radio, air conditioning and windshield wipers.

Then, while the car was moving at 70 miles an hour, the car’s acceleration was remotely shut down, leaving the volunteer driver & writer from Wired slowing on a busy highway.

Aerial view of a freeway interchange, LA

Aerial view of a freeway interchange, LA

The two hackers, Charlie Miller and Chris Vasalek, have been conducting car-hacking research to determine if an attacker could gain wireless control to vehicles via the internet.

They created software code that could send commands through the Jeep’s entertainment system to its dashboard functions, brakes, steering and transmission from a laptop many miles away, according to the first-person account in Wired.

Why Its Hot:

The timing of the widely reported Jeep experiment is interesting in light of a new privacy bill in congress that would stop car makers from using data collected from vehicles for advertising or marketing. More about the bill can be found here.

Drivers shouldn’t have to choose between being connected and being protected. Controlled demonstrations show how frightening it would be to have a hacker take over controls of a car. We need clear rules of the road that protect cars from hackers and American families from data trackers. When consumers feel safe with technology it flourishes but when the opposite is true it can become an epic failure.

But the Jeep episode shows that sending unwanted ads to drivers on the move may be the least of the issues. The silver lining in all of this is that the vulnerabilities in the coming interconnected world of things are being identified and highlighted.

As you might imagine, Fiat Chrysler has issued a software fix that Jeep owners can either download and install or ask a dealer to install it.  There will be more bumps in the road that get identified. Then they can be addressed.

Read the full story here

Hackers Show Vulnerability of “Connected Cars”

When we think of hacks, we often think email, banks, phones. But many people don’t think of things like cars as a hackable devices, too. So researchers in St. Louis set out to demonstrate that the automakers need to be far more active in the security of the internet-connected vehicles.

The subject was Fiat Chrysler’s line of Uconnect vehicles. Using a Jeep Cherokee, the researchers demonstrated that using the vehicle’s Sprint network data connection, they could successfully attack a driver’s vehicle to remotely by pure anonymized hack. Some 470,000+ vehicles on the roads offer this connectivity, making vulnerability to hack no small risk.

So what could the hackers exploit? Quite a lot. While the driver was cruising at highway speed, they were able to alter wipers, display personalized messages on the dashboard, even disable the transmission to prevent acceleration. Traffic piled up behind the driver, as the subject was left helpless.

IMG_0724-582x437

But the hackers are doers of good. They sought to share these exploits with the hacker community, so that those with malicious intent do not find them first. What’s shocking is the automotive industries apparent attempt to minimize these studies. In a longer expose of the study, Wired highlights that automakers are more interested in out-competing for features over addressing real consumer safety concerns with this untested new drivable devices.

Why It’s Hot

As we are always looking for what is new, shiny and internet-driven, cases like this demonstrate why consumers need to remain vigilant in the connected age. In this case, it took hacker advocacy to open our eyes to corporate sluggishness and blindness to the dangers that new products can pose.

Via Ars Technica

Canada’s Largest Bitcoin Exchange is Shutting Down After Suspected Hack

Canadian Bitcoin exchange Cavirtex has announced that it may have suffered a security breach and is shutting down its operations soon [https://www.cavirtex.com/news]. While the company says it hasn’t lost any of its reserves, it feels “the damage to [its] reputation caused by the potential compromise will significantly harm [its] ability to continue to operate successfully.” The company has ceased accepting deposits and will halt withdrawals on March 25. Unfortunately, this is not an isolated incident.

Chinese exchange Bter lost $1.75 million to hackers earlier this week and $5 million was stolen from Slovenia’s Bitstamp last month.

Capture

Why It’s Hot:
Bitcoin, an innovative payment network and a “new” kind of money, was first introduced in 2009. Over the years a number of companies, such as Overstock, Amazon, Target, CVS, Victoria’s Secret and Subway are accepting it as a form of payment. Unfortunately, it also seems to have attracted the attention of cybercriminals and businesses dealing in cryptocurrency should invest heavily in security measures.