Voice assistants – just like dolphins – can hear high frequencies that humans can’t hear. And a team of security researchers from Zhejiang University recently found that this ability to hear inaudible sounds (frequencies above 20KhZ) provide cybercriminals the opportunity to hack voice assistants from Apple, Google, Microsoft, Samsung, Amazon, and Huawei (16 devices and seven systems in total). The paper was recently accepted to the ACM Conference on Computer and Communications Security.
Aptly called “DolphinAttack,” the vulnerability lets hackers translate voice commands – such as “call 123-456-7890” or open a malicious website – into ultrasonic frequencies that can be heard and understood by voice assistants but not by the human ear. The bad guys can access your devices from just a few inches away. While devices like Amazon Echos are less likely to be hacked (unless the cybercriminal was in your home), your iPhone could be easily compromised without you knowing it when out in public.
Not only is the technique easy to do, but it’s also inexpensive. Researchers found that hackers could breach speech recognition systems like Siri, Google Now, and Alexa with hardware that costs only about $3. With just a smartphone and hardware like a tiny speaker and amp, a cybercriminal could tell Siri to make a FaceTime call on an iPhone, get Google Now to switch a phone to airplane mode, and manipulate the navigation system in an Audi automobile.
So, why would tech companies let this gaping hole exist? Fast Company’s Co.Design theorizes it’s about making voice assistants more user-friendly. “User-friendliness is increasingly at odds with security,” Mark Wilson writes. “This new voice command exploit is just the latest in a growing list of security holes caused by design, but it is, perhaps, the best example of Silicon Valley’s widespread disregard for security in the face of the new and shiny.”
Currently, the best way to fix most DolphinAttack vulnerabilities would be just to turn off the always-on settings of Siri or the Google Assistant on your phones and tablets, and use the hard mute buttons on the Amazon Alexa and Google Home. But, with these solutions being self-defeating, this brings up the question: should we even be using voice assistants in the first place if we can’t safely use them?
Why should insurance agents care about this? Because businesses are increasingly employing Internet of Things (IoT) devices and artificial intelligence (AI). As the trusted risk management advisor, you need to understand the rapidly changing technology landscape and the corresponding threats.
While cyber policies can cover IoT and AI, you need to carefully read the policy language and definitions to be sure.
For more information about the DolphinAttack and cyber insurance, contact INSUREtrust today at 888-932-7475 or info@INSUREtrust.com.