Introduction
Do you use Siri? What about Google Home or the Amazon Alexa? Some other, similar smart device hooked up to your home or office? Then you’ll want to read on about this latest vulnerability in your network.
Researchers at the University of Texas San Antonio and University of Colorado Colorado Springs have discovered a potential malware technique capable of sneaking onto voice-controlled devices to take control of the system or network.
Near-Ultrasound Inaudible Trojans, or NUIT, are malicious programs that use near-ultrasound frequencies to hide their presence. These trojans can be used to gain access to confidential information, such as passwords and financial data, without the user’s knowledge.
How the Trojan Works
What makes NUIT so dangerous?
Think of how your voice-controlled Internet of Things devices work. Their microphones catch your voice commands, but what if advanced versions of these smart technologies can pick up frequencies undetectable to the human ear?
Well, many can. That’s exactly what the Near-Ultrasound Inaudible Trojan exploits.
The attack is more difficult to detect because it uses inaudible, high-frequency sound waves to send commands and data. They could control your smart devices remotely, to launch denial-of-service attacks, worm further into your home or work network, and wreak havoc on your systems.
Because the trojan is undetectable by the human ear, adversaries could monitor activities of a target system without the user’s knowledge or consent. That makes it more difficult to detect and, thus, remove. It’s becoming an increasingly popular threat tactic in part because NUIT is able to bypass common security levels and thus take over more systems. They don’t even need to use a human voice; AI works just as well. Many of the smart device brands tested were sensitive to robotic commands too, except for Siri, and even in that case the threat actor could still manipulate audio of your voice to sound like you’re the one speaking.
Conclusion
The Near-Ultrasound Inaudible Trojan is just one example of how IoT devices are more vulnerable and need to be isolated on a separate network than your more confidential data. You might also reconsider just how much access to your life you give smart technology; if you were on a Zoom call that got hacked, the threat actor could send out those inaudible commands and successfully breach smart devices within hearing range of your computer!
NUIT is just the latest cybercriminal tactic capable of taking over your smart devices. You can help prevent unauthorized voice activation by requiring them to first accept some kind of specific voice command before “turning on” or proceeding with an action. Also be sure to monitor smart devices for instances when the microphone might turn on, seemingly by itself.
Be careful what vulnerabilities you’re introducing into your home or workplace the next time you buy new technology!
References
