A group of researchers is exploring why digital home assistants and other sensing systems that use sound commands to perform functions can be hacked by light. It has noticed that someone can hack into an Amazon Alexa device using a laser beam and then doing some online shopping using that person’s account.
This is in fact quite dangerous and it may lead to many vulnerabilities in the technical as well as the business system. The team that last year mounted a single injection attack against a wide range of smart speakers merely by using a laser pointer is still unraveling the mystery of why the micro-electro-mechanical systems (MEMS) microphones in the products turn the light signals into sound.
The researchers also delved into the fact how the ecosystem of devices connected to voice-activated assistants — such as smart-locks, home switches, and even cars fails under common security vulnerabilities that can make these attacks even more dangerous. The paper shows how using a digital assistant as the gateway can allow attackers to take control of other devices: Once an attacker takes control of a digital assistant, he or she can have access to run any device connected to it that also responds to voice commands. Indeed, these attacks can get more interesting if these devices are connected to other aspects of the smart home, such as smart door locks, garage doors, computers, and even people’s cars.
Reduction of Attacks
The team does offer some procedures for the reduction of these attacks from both software and hardware perspectives for hacking Alexa. On the software side, users can add an extra layer of authentication on devices to “somewhat” prevent attacks, although usability can suffer, as researchers stated. In terms of hardware, reducing the amount of light that reaches the microphones by using a barrier or diffracting film to physically block straight light beams — which allows soundwaves to detour around the obstacle — and could help mitigate attacks, they said.
Therefore, The team plans to present the evolution of the research at Black Hat Europe on December 10.