Your Smart Speaker could become an Acoustic Weapon

Look around your home – how many smart speakers do you have scattered around?

For many of us, smart speakers have become an integral part of our daily lives. They are everywhere, whether it’s expensive, standalone sound systems, laptops, smart home devices, or even cheap portables. I mean we listen to music and movies from it, we use it for voice assistants like Google Assistant, Siri and Alexa, we connect our microphones to it to talk to a large crowd. The list is endless.

It is basically the hub that controls all our smart devices.

Such an innocent little thing – precariously sitting on the shelf, or hung in a dubious corner of the room. It’s almost harmless, am I right? It can’t possibly attack us!

Well, if you had asked me this years ago, I would probably point-blank stare at you like you are some alien from an outer world, and think you are the craziest person I have ever met.

But now in 2019, going to 2020 soon, if you ask me this, I actually believe it might be possible. There might actually be a possibility that these speakers are not as innocent as they seem to be!


What do I mean?

Of course, I am not talking about a speaker being turned into a bomb ready to explode that kind of danger. What I am referring to is more of acoustic damage.

Yet, Matt Wixey, cybersecurity research lead at technology consulting firm PWC UK, and his team still wondered if an attacker could develop malware or attacks to emit noise exceeding maximum permissible level guidelines, and therefore potentially cause adverse effects to users or people around”.


The Matt Wixey Research

The research analyzed the potential acoustic output of a handful of devices, including a laptop, a smartphone, a Bluetooth speaker, a small speaker, a pair of over-ear headphones, a vehicle-mounted public address system, a vibration speaker, and a parametric speaker, which channels sound in a specific direction.

Wixey then wrote simple code scripts or slightly more complete malware to run on each device. From there, Wixey placed them one by one in an anechoic chamber (a soundproof container with minimal echo called). A sound level meter within the enclosure measured the emissions, while a surface temperature sensor took readings of each device before and after the acoustic attack.

Wixey found that the smart speaker, the headphones, and the parametric speaker were capable of emitting HIGH FREQUENCIES that exceeded the average recommended by several academic guidelines. The Bluetooth speaker, the noise-canceling headphones, and the smart speaker again were able to emit LOW FREQUENCIES that exceeded the average recommendations.

Additionally, attacking the smart speaker in particular generated enough heat to start melting its internal components after four or five minutes, permanently damaging the device.

(Wixey says that he is not releasing any of the acoustic malware he wrote for the project or naming any of the specific devices he tested. He also did not test the device attacks on humans.)


Effects of Acoustic Weapons

“It is surprisingly easy to write custom malware that can induce all sorts of embedded speakers to emit inaudible frequencies at high intensity, or blast out audible sounds at high volume”

– Matt Wixey, cybersecurity research lead at technology consulting firm PWC UK

Moreover, Wixey’s research also demonstrated the potential for acoustic malware to be inflicted on internet-connected smart speakers remotely, without the need for physical access to the device.

In addition, the inaudible racket can still harm our auditory systems or secretly track people by emitting and detecting specific frequencies, illustrating a particularly creepy way that people’s personal devices can be used against them.

It’s scary isn’t it, that something we thought to be so innocent, could be turned against us?

The fact is that the speakers on your phone, computer, and any other internet-connected device can be targeted by hackers to blast out deafening or psychologically-damaging frequencies of sound.

I mean, these aural attacks could easily damage your hearing, cause tinnitus (perception of noise or ringing in the ears), or even lead to potential effects that are both physiological and psychological.

This indeed raises questions about the security of our smart speakers and other connected devices; and if hackers could hijack our smart home devices for nefarious reasons, manufacturers will definitely need to step up the security of their products.


In Other News…

“As the world becomes connected and the boundaries break down, the attack surface is going to continue to grow,” Wixey says. “That was basically our finding. We were only scratching the surface and acoustic cyber-weapon attacks could potentially be done at a much larger scale using something like sound systems at arenas or commercial PA systems in office buildings.”

And if you think that acoustic damage is all that speakers can do, you might still be wrong!

Last year, a group of researchers reported findings at the Crypto 2018 conference in Santa Barbara, California, that ultrasonic emanations from the internal components of computer monitors could reveal the information being depicted on the screen.

In addition, Ang Cui, who founded the embedded device security firm Red Balloon, published research in 2015 in which he used malware to broadcast data from a printer by crunching the internal components of the printer to make sounds that could be picked up and interpreted by an antenna.

So what this means is that, not only is there damage to our auditory systems, confidential and sensitive information could also be at risk!


What can You do?

Wixey suggested a number of countermeasures that could be incorporated into both device hardware and software to reduce the risk of acoustic attacks. Crucially, manufacturers could physically limit the frequency range of speakers so they’re not capable of emitting inaudible sounds. Desktop and mobile operating systems could alert users when their speakers are in use or issue alerts when applications request permission to control speaker volume.

Speakers or operating systems could also have digital defenses in place to filter digital audio inputs that would produce high and low frequency noises. And antivirus vendors could even incorporate specific detections into their scanners to monitor for suspicious audio input activity. Environmental sound monitoring for high frequency and low frequency noise would also catch potential cyber-acoustic attacks.

Yet, honestly it is hard to know and hard to detect. I mean, one of the most insidious things about this class of potential attacks is that in many cases, you would have absolutely no idea what’s going on.

“You never really know, unless you’re walking around with a sound meter, what you’re being exposed to,” he says.

But nonetheless, heightening your security on your devices is also important and a crucial step for you to take.


Want to increase your company’s IT security?


eVantage Technology is a professional and trusted IT solutions provider, dedicated to providing exceptional service to companies in Singapore and across Asia.