In some of the previous research studies it was shown that ultrasonic waves can be used to deliver a single command through the air. However, now research study at the Washington University says that ultrasonic waves are now a biggest threat to cellphone security.
Ultrasonic waves are imperceptible, yet they can activate Siri on your cellphone and have it make calls, take images or read the contents of a text to a stranger. To the owners surprise, he or she would not be aware of this illegal activity taking place through his or her cellphone, claims research.
The researchers found that these waves can propagate through many solid surfaces to activate voice recognition systems. Additionally, the miscreant by mounting a cheap hardware can also hear the phone’s response.
Ning Zhang, the Assistant Professor of the McKelvey School of Engineering and his co-authors performed an experiment. During the experiment they were able to send voice commands to cellphones as they sat inconspicuously on a table, next to the owner.
With the addition of a stealthily placed microphone, the researchers were able to communicate back and forth with the phone. They could perform the cellphone operations from afar.
The ultrasonic waves are sound waves in a frequency that are higher and human perception range However, the cellphone microphones can record these higher frequencies.
To test the ability of ultrasonic waves to transmit the commands through solid surfaces, the research team carried out a host of experiments.
A phone was kept at a distance on a table. Attached to the bottom of the table were a microphone and a piezoelectric transducer (PZT). These equipments, during experiments, are used to convert electricity into ultrasonic waves.
On the other side of the table, away from the phone, a wave form generator was installed to generate the correct signals. The team ran two tests, one to retrieve an SMS (text) passcode and another to make a fraudulent call.
The test to retrieve SMS passcode was performed on the common virtual assistant command ‘read my messages’ and on the use of two-factor authentication. Prior to this, a passcode was sent to the user’s phone from a bank, for instance to verify the user’s identity.
The attacker first told the virtual assistant to decrease the volume of the cellphone by 3. At this volume, the victim did not notice his/her phone’s responses in an office setting with a moderate noise level.
Further, when a simulated message from a bank arrived, the attack device sent the ‘read my messages’ command to the cellphone. The response was audible to the microphone under the table, but the victim was unaware.
The second test to make a fraudulent call, the attack device sent the message ‘call Sam with speaker phone,’ initiating a call. Using the microphone under the table, the attacker could flawlessly carry out the conversation with ‘Sam’.
The team tested 17 different popular cellphone models. Among the models, two were vulnerable to ultrasonic wave attacks. Ultrasonic waves can pass through metal, glass and wood.
To protect one’s cellphone from such attacks, Zhang advises the people to use an interlayer-based defence, which uses a soft, woven fabric to increase the impedance mismatch. i.e. a tablecloth.
