Search the Community
Showing results for tags 'voice assistant'.
Not OK Google: Android, Siri sink in SurfingAttack Video Voice commands encoded in ultrasonic waves can, best case scenario, silently activate a phone's digital assistant, and order it to do stuff like read out text messages and make phone calls, we're told. The technique, known as SurfingAttack, was presented at the Network and Distributed Systems Security Symposium in California this week. In the video demo below, a handset placed on a table wakes up after the voice assistant is activated by inaudible ultrasonic waves. Silent commands transmitted via these pulses stealthily instruct the assistant to perform various tasks, such as taking a photo with the front facing camera, read out the handset's text messages, and making fraudulent calls to contacts. It's basically a way to get up to mischief with Google Assistant or Apple's Siri on a nearby phone without the owner realizing it's you causing the shenanigans nor why it's happening – if, of course, they hear it wake up and start doing stuff. It's a neat trick that could be used to ruin someone's afternoon or snoop on them, or not work at all. There are caveats. It's just cool, OK. Eggheads at Michigan State University, University of Nebraska-Lincoln, and Washington University in St Louis in the US, and the Chinese Academy of Sciences, tested their SurfingAttack technique on 17 models of gadgets; 13 were Android devices with Google Assistant, and four were iPhones that had Apple’s Siri installed. SurfingAttack successfully took control of 15 of the 17 smartphones. Only Huawei’s Mate 9 and Samsung’s Galaxy Note 10+ were immune to the technique. “We want to raise awareness of such a threat,” said Ning Zhang, an assistant professor of computer science and engineering at St Louis, on Thursday. “I want everybody in the public to know this.” Here’s one way to pull it off: a laptop, located in a separate room from the victim’s smartphone, connects to a waveform generator via Wi-Fi or Bluetooth. This generator is near the the victim's phone, perhaps on the same table, in the other room, and emits voice commands, crafted by the laptop, via ultrasonic waves. Technically, a circular piezoelectric disc placed underneath the table where the phone is resting emits the pulses from the generator. The silent ultrasonic wave is propagated through the table to cause vibrations that are then picked up by the smartphone. The signals command the assistant on the phone to do things like “read my messages” or call a contact. A wiretapping device, also placed underneath the table, records the assistant and relays the audio back to the laptop to transcribe the response. Tiny little small caveat: you'll need to imitate your victim's voice So here’s a catch: to activate someone's smartphone, the attacker has to imitate or synthesize the victim’s voice. Smartphone assistants are trained on their owners' voices so they won't respond to strangers. A miscreant has to find a way to craft realistic imitations of the victim’s voice, therefore. It’s not too difficult with some of the machine-learning technology out there already. However fiends will have to collect enough training samples of the victim’s voice for the AI to learn from. Qiben Yan, first author of the paper and an assistant professor of computer science at Michigan State University, told The Register the team used Lyrebird to mimic voices in their experiment. Victims must have given Google Assistant or Siri permission to control their phones. The assistants can only perform a limited number of functions unless the user has already unlocked their phones. In other words, even if you can imitate a person, and send their device ultrasonic waves, the phone's assistant may not be able to do much damage at all anyway. For example, if a target has not toggled their smartphone's settings to allow the digital assistant to automatically unlock the device, it’s unlikely SurfingAttack will work. “We did it on metal. We did it on glass. We did it on wood,” Zhang said. Even when the device’s microphone was placed in different orientations on the tables, SurfingAttack was successful as well as when the circular piezoelectric disc and the wiretapping device were placed underneath a table with the phone 30 feet away. The best way to defend yourself from these attacks is to turn off voice commands, or only allow assistants to work when a handheld is unlocked. Alternatively, placing your smartphone on fabric on a table would make it more difficult for the ultrasound signals to be transmitted. Despite all these caveats, the academics reckoned SurfingAttack posed a serious potential threat. "We believe it is a very realistic attack," Yan told El Reg. "The signal waveform generator is the only equipment which is bulky. Once we replace it with a smartphone, the attack device can be portable. "One great advantage of SurfingAttack is that the attack equipment is placed underneath the table, which makes the attack hard to discover. For synthesizing victims’ voice, we have to capture victims’ voice recording. However, if we want to target a specific user, it doesn’t seem to have any problem in capturing the users’ voice commands or synthesizing them after recording the victims’ voice. "Moreover, the Google Assistant is not very accurate in matching a specific human voice. We found that many smartphones’ Google Assistants could be activated and controlled by random people’s voices. Also, many people left their phones unattended on the table, which creates opportunity for the attackers to send voice commands to control their devices." Source
Lenovo Voice is an ambitious voice assistant for Windows 10 that, if it worked, could put Cortana to shame Lenovo Voice is a digital voice assistant by Lenovo for Windows 10 which offers a number of interesting voice-based features. It offers the ability to translate languages in real-time, transcribe offline video, and also offer general voice assistant features. The app is now in the Microsoft Store, but unfortunately does not appear to do much yet on my Yoga, with the message: This service is not available yet. The app appears to be aimed mainly at the Chinese market, offering English/Chinese and Japanese translation. It however also offers features such as voice typing which would use usable everywhere. If you have better luck find it in the Store here. A recent non-store version can be found here. Source: Lenovo Voice is an ambitious voice assistant for Windows 10 that, if it worked, could put Cortana to shame (MSPoweruser)
shamu726 posted a topic in Security & Privacy Newsr.classen/Shutterstock I’ve had Alexa smart speakers for years. I bought them to make my smart home more convenient to use through voice controls. But now Alexa has me hopping mad. Why? She invaded my printer without asking my permission and started emailing me about ink. When does a voice assistant cross the line from convenience to nuisance? An (un)Welcome Email It all started with an innocuous email that I initially disregarded as some phishing attempt. “Thank you for connecting your HP OfficeJet Pro 8710 printer to Alexa. Alexa just made printing a whole lot easier. Now you can print documents using only your voice and compatible Echo devices.” That is the model of printer I use. And it did come from Amazon. But I didn’t do anything to connect the two. Even stranger, it said I connected them ten days before the email arrived. The email mentioned how you could print documents using just your voice, like your shopping list or a daily sudoku puzzle. Naturally, I forgot all about the email. Alexa Spammed Me Not long after, I got a rude reminder when a mess of emails started arriving. Every day, I started getting four emails: “replace your HP 952 Yellow Toner soon to keep your HP OfficeJet Pro 8710 running.” One for each color, and for black. Four emails in a row, every day. Alexa spammed me! Alexa noticed that you will need to replace your HP 952 Yellow Toner soon, based on your HP OfficeJet Pro 8710 usage. You can view products on Amazon.com that are confirmed to work with your device. Or, you can set up smart reorders to automatically receive replacements of your choice. And if that isn’t bad enough, the email actually blamed me for the spam: “You are receiving this message because you connected your HP OfficeJet Pro 8710 to Alexa on 6/28/20. ” But I didn’t. From what I can tell, at some point, I installed an unrelated smart home device and Alexa skill. When I ran the discovery process to find “new smart home devices,” Alexa found my printer and added it. Not a Service I Want or Need The entire thing is extremely frustrating and feels very invasive. I didn’t go out of the way to connect my printer to Alexa; Amazon did that to “help me.” It didn’t give the chance to say no or prevent the connection from happening. Until now, I thought adding printers to Alexa was an opt-in thing because HP has an Alexa skill, which I have not installed. Even worse, the initial email didn’t tell me what Alexa really planned to do. Nowhere in that first email does it mention ink, or a warning that it will check levels and help you purchase a resupply when you need it. If it had, I would have turned off the entire set of functionality sooner because I don’t need it. I have an HP printer, and it’s enrolled in HP’s ink replenishment service. Admittedly, I don’t like the service, but I’m stuck in a loop where I can’t get out. When my ink gets low, HP sends me more before I run out. That makes Alexa’s prodding to buy ink utterly useless. You Can Turn The Dumb Thing Off If I have one compliment to give Amazon at this point, it’s how painless it makes turning the emails off—well, mostly. In every single email about ink, you can find a quick link to take you to your Alexa’s notification settings to turn the blasted emails off. But what if you didn’t see that? It’s subtle, at the bottom of the email. Or what if you don’t trust clicking on links in an email to take you to account settings? Well, then it gets a little more tricky. I spent a good half hour trying to find another way to turn off the Alexa and Printer email notifications, or just remove the printer from Alexa altogether. I went into my Alexa account online, I went into skills to see if I enabled something, I searched Google for help. All of that was a bust. Finally, I found where to go by tapping every option I could find in the Alexa app. If you go to Device > All Devices, you can find your printer. I have 50 smart home devices, and of course, my printer is nearly at the bottom of the list. Once you find the printer, you can either turn off the notifications or delete the printer entirely. I opted for the former, for now. I can’t see a use for printing by voice, but as a tech journalist, I’ll keep the option open for the future. Alexa Lacks Transparency, and That’s Bad for Smart Homes You might be thinking, “What’s the big deal? You got a bunch of emails, and you turned them off,” and that’s a fair point. But when I tell people, “I have a smart home” and “I have Alexa (and Google Assistant) in my home,” I commonly get the same reaction. People get creeped out by smart homes, and even more so by “speakers that are always listening.” Your smart speaker isn’t always listening to every word you say. Not in the way people fear, anyway. But that fear is a problem. Smart homes and smart speakers depend on trust and a promise of privacy. That can only happen with transparency. Alexa violated my trust, thanks to a lack of transparency. On its own, Amazon decided to connect Alexa to my printer. Just because I invited you into my home doesn’t mean I’ve permitted you to rummage through my underwear drawer. I expect you to ask permission and give me a good reason why you’d need that kind of access to my life. Likewise, I want control over which smart home devices Alexa can access. And that’s usually how it works; I have to install a skill or take some extra step to pair the two up. But not this time—Alexa was proactive (in a bad way). And even when Alexa provided me a reason to connect to my printer, it didn’t tell me the whole truth. Sure, fancy voice controls for my printer sounds nice. But Amazon admitted in later emails that it looked at my printer usage history to guess when I’d run out of ink, and I didn’t give permission for that either. Failing to mention that Amazon planned to check my ink status and then use that information to upsell me another product is unacceptable. As the old saying goes, “a lie of omissions is still a lie.” Smart homes require transparency and trust, and on this occasion, Alexa did itself a disservice. I trust it less now because who knows what else in my house Amazon will decide is fair game to turn into a shopping opportunity next. Source: Review Geek