Personal assistants on smartphones – Siri on the iPhone, Google Now on Androids, and Cortana on Windows Phone – allow us to do a lot of things with only a voice command.
We can make calls, send text messages, do web searches, and much more.
But what if someone else could make your phone do any of these things – silently, remotely, and without your knowledge?
A pair of French researchers have conceived an attack to remotely hijack phones with radio waves and, under very limited conditions, got it to work.
José Lopes Esteves and Chaouki Kasmi, researchers for the French infosec agency ANSSI, described the radio wave attack in a talk this summer at Hack in Paris, and recently published their findings in the journal IEEE Transactions on Electromagnetic Capability.
To make the attack work, the researchers sent FM radio signals from a laptop to an antenna, which transmits the signals to a nearby voice-command enabled phone with headphones plugged in.
In this attack, the headphone cord acts as an antenna, sending commands through the microphone to a digital assistant like Siri.
In their Paris talk, the researchers demonstrated a few scenarios, such as turning the phone into an eavesdropping device by commanding it to make a call to an attacker’s monitoring phone.
Or the attacker could make your phone visit a malicious phishing website, create embarrassing posts on your social media accounts, or launch a malicious app that could exploit download malware.
An attacker could also make money by forcing victims’ phones to make expensive phone calls or send premium text messages, the researchers say.
These possibilities sound frightening, but the remote attack is quite difficult to pull off.
The researchers were only able to get their attack to work in a room shielded from outside electromagnetic interference, and with an antenna just six feet away from the victim phone (and even with a high-powered antenna the attack range only goes up to about 16 feet).
However, the researchers say, an attacker could hide an antenna in a backpack in a crowded area such as a train station or stadium and launch a massive attack on many people.
Even though you probably don’t need to worry about having your phone hijacked through radio waves, a few simple precautions make it impossible: don’t keep your headphones plugged in when you aren’t using them or use mic-less headphones; don’t enable voice commands if you don’t need to; and be selective about the voice commands available without a passcode.
Even if this attack isn’t very realistic, we’ve seen many times how Siri in particular can be exploited to expose your personal information.
Having Siri enabled on the lock screen is just an unnecessary risk – why not just turn it off and get your phone to do things the old-fashioned way?
For more advice on what to do when you review your phone’s security settings, please take a look at our popular article, Privacy and Security on Your Phone. (Covers iOS, Android and Windows Phone.)