SEVERE WX : Fire Weather Watch View Alerts

Researchers used a laser to hack Alexa and other voice assistants

Usually you have to talk to voice assistants to get them to do what you want. But a group of researchers determined they can also command th...

Posted: Nov 5, 2019 6:53 AM
Updated: Nov 5, 2019 11:45 AM

Usually you have to talk to voice assistants to get them to do what you want. But a group of researchers determined they can also command them by shining a laser at smart speakers and other gadgets that house virtual helpers such as Amazon's Alexa, Apple's Siri and Google's Assistant.

Researchers at the University of Michigan and Japan's University of Electro-Communications figured out they could do this silently and from hundreds of feet away, as long as they had a line of sight to the smart gadget. The finding could enable anyone (with motivation and a few hundred dollars' worth of electronics) to attack a smart speaker from outside your house, making it do anything from playing music to opening a smart garage door to buying you stuff on Amazon.

In a new paper, the researchers explained that they were able to shine a light that had a command encoded in it (such as 'OK Google, open the garage door') at a microphone built into a smart speaker. The sounds of each command were encoded in the intensity of a light beam, Daniel Genkin, a paper coauthor and assistant professor at the University of Michigan, told CNN Business on Monday. The light would hit the diaphragm built into the smart speaker's microphone, causing it to vibrate in the same way as if someone had spoken that command.

The researchers exploited the vulnerability in tests to do things like trigger a smart garage door opener and ask what time it is.

A list of devices that the researchers tested and said are vulnerable to such light commands includes Google Home, Google Nest Cam IQ, multiple Amazon Echo, Echo Dot, and Echo Show devices, Facebook's Portal Mini, the iPhone XR, and the sixth-generation iPad. Smart speakers typically don't come with any user authentication features turned on by default; the Apple devices are among a few exceptions that required the researchers to come up with a way to work around this privacy setting.

The findings could concern consumers, as well as the companies that offer voice assistants. Over the past five years, the market for assistant-using smart speakers — Amazon's Alexa and its Echo smart speakers in particular — has ballooned. According to data from tech market researcher Canalys, companies shipped 26.1 million smart speakers in the second quarter. Amazon is sitting on top of this market: Canalys reports Amazon shipped a quarter of these speakers, or an estimated 6.6 million between April and June.

The cost for anyone to do likewise could be less than $400: On a website related to the work, researchers outline the equipment needed, which includes an under-$20 laser pointer, a $339 laser driver, and a $28 sound amplifier.

'If you have a laser that can shine through windows and across long distances — without even alerting anyone in the house that you're hitting the smart speaker — there's a big threat in being able to do things a smart speaker can do without permission of the owner,' said Benjamin Cyr, a graduate student at the University of Michigan and a paper coauthor.

Researchers said the Google Home device and first-generation Echo Plus could be commanded over the longest distance: 110 meters (about 361 feet). The researchers said that distance was the longest area they could use (a hallway) when conducting tests.

The researchers noted that they haven't seen this security issue being taken advantage of. One way to avoid any potential issues, though, is to make sure your smart speaker can't be seen by anyone outside your home.

Researchers said the weakness can't truly be fixed without redesigning the microphones, known as MEMS microphones, that are built into these devices, however, which would be a lot more complicated. Takeshi Sugawara, a visiting scholar at the University of Michigan and the paper's lead author, said one way to do this would be to create an obstacle that would block a straight line of sight to the microphone's diaphragm.

Gekin said he contacted Google, Apple, Amazon and other companies to address the security issue.

Spokespeople for Google and Amazon said their companies are reviewing the research. Apple declined to comment.

California Coronavirus Cases

Data is updated nightly.

Confirmed Cases: 559746

Reported Deaths: 10377
CountyConfirmedDeaths
Los Angeles2085634977
Riverside40452799
Orange39641726
San Bernardino35712546
San Diego32330593
Kern23583171
Fresno17290171
Alameda13213208
San Joaquin12303211
Santa Clara11687204
Sacramento10795161
Tulare10475196
Imperial9693244
Stanislaus9665162
Contra Costa9182139
Ventura814689
San Francisco754867
Santa Barbara670469
San Mateo6110120
Marin532779
Monterey529335
Merced501264
Kings445356
Solano402940
Sonoma355647
Madera230239
Placer218620
San Luis Obispo209315
Yolo172143
Santa Cruz12386
Butte10958
Napa104610
Sutter9427
El Dorado7291
San Benito7154
Lassen6380
Yuba6004
Mendocino43110
Shasta41810
Colusa3624
Glenn3603
Nevada3221
Humboldt2824
Tehama2761
Lake2202
Amador1642
Mono1541
Tuolumne1522
Calaveras1471
Del Norte990
Siskiyou930
Inyo893
Mariposa612
Plumas340
Modoc50
Trinity50
Sierra30
Alpine20
Unassigned00
Chico
Scattered Clouds
95° wxIcon
Hi: 101° Lo: 67°
Feels Like: 95°
Oroville
Clear
98° wxIcon
Hi: 101° Lo: 68°
Feels Like: 98°
Paradise
Scattered Clouds
95° wxIcon
Hi: 94° Lo: 68°
Feels Like: 95°
Chester
Clear
88° wxIcon
Hi: 88° Lo: 59°
Feels Like: 88°
Red Bluff
Clear
104° wxIcon
Hi: 107° Lo: 70°
Feels Like: 104°
Willows
Scattered Clouds
95° wxIcon
Hi: 106° Lo: 64°
Feels Like: 95°
Very hot temperatures and the potential for mountain thunderstorms are ahead for your Monday. Temperatures won't be as hot for the middle of this week, but fire danger will be elevated. The heat returns this weekend.
KHSL Severe
KHSL Radar
KHSL Temperatures

Community Events