Hackers send secret commands to Siri from 16 feet away
Researchers in France have demonstrated they can get Siri to do their bidding while she's nestled not-so-safely in your pocket.
In a paper published by IEEE, Chaouki Kasmi and José Lopes Esteves from the French Network and Information Security Agency, created a "silent remote voice command" technique that uses a pair of plugged-in headphones to whisper in Siri's ear without you knowing it. The commands can be sent via radio from as far as 16 feet away, Wired reports. The headphones act as an FM antenna.
It also works against Android phones with Google Now enabled.
The hack sends electromagnetic waves from a radio antenna that are picked up by the microphone in headphones or ear buds and converted into digital signals that can command the phone to do a number of things that might be useful to a hacker with an agenda. Kasmi told CBS News an attacker could activate Wi-Fi and Bluetooth to turn the phone into a midrange location tracker, or use the phone for audio spying (that is, eavesdropping), by having it call his own phone, letting everything you say or hear be heard on the other end.
It can also tell the phone to place a call or send a text to a paid service, or post compromising information to social media for the purpose of phishing or damaging your reputation.
And for advanced maneuvers, Kasmi explained, "The exploitation of the voice command interface is used as a first step to further compromise the device: The attacker can force the target to visit a malicious web page which exploits a vulnerability to compromise the target's operating system. As an example one could think of installing a malicious application, or further exploiting vulnerabilities on the wireless interfaces."
The large version of the antenna can send the signal from 16 feet away, according to Wired, while a backpack sized version is powerful enough for a hacker to sidle up within six and a half feet. Making one isn't particularly challenging and the parts only cost a couple hundred dollars.
"To design such an emitter, open source software for software-defined radio is publicly available," Kasmi said. "Thus, the design of the source is very simple and cheap with regards to open source software and hardware."
Protecting yourself is fairly basic, too. For one thing: Don't leave headphones with a microphone plugged into your phone, and disable voice control enabled when the phone is locked. Google Now voice control is not available from the lock screen by default, but Siri is. To disable it, find the Passcode or Touch ID & Passcode section in settings and deactivate Siri under the heading "Allow Access When Locked."