SurfingAttack: Interactive Hidden Attack on Voice Assistants Using - - PowerPoint PPT Presentation

surfingattack interactive hidden attack on voice
SMART_READER_LITE
LIVE PREVIEW

SurfingAttack: Interactive Hidden Attack on Voice Assistants Using - - PowerPoint PPT Presentation

Oct 03, 2023 8 likes •302 views

SurfingAttack: Interactive Hidden Attack on Voice Assistants Using Ultrasonic Guided Waves Qiben Yan 1 , Kehai Liu 2 , Qin Zhou 2 Hanqing Guo 1 , Ning Zhang 3 1 Michigan State University, 2 University of Nebraska-Lincoln, 3 Washington University

slide-1
SLIDE 1

SurfingAttack: Interactive Hidden Attack on Voice Assistants Using Ultrasonic Guided Waves

Qiben Yan1, Kehai Liu2, Qin Zhou2 Hanqing Guo1, Ning Zhang3

1Michigan State University, 2University of Nebraska-Lincoln, 3Washington University in St. Louis

slide-2
SLIDE 2

Voice Assistants

Read my message Take a selfie Calling Sam Send a message to Sam

1

Open my garage door

slide-3
SLIDE 3

They are not safe!

slide-4
SLIDE 4

Over-the-air Inaudible Attack

Yes, how can I help you? Input Amplifier f Amp Low Pass filter ADC

[1] Backdoor: Making microphones hear inaudible sounds. Roy, N. et al., MobiSys 2017. [2] Dolphinattack: Inaudible voice commands. Zhang, G. et al., CCS 2017. [3] Inaudible voice commands: The long-range attack and defense. Roy, N., et al. NDSI 2018.

Diaphragm

slide-5
SLIDE 5

Over-the-air Inaudible Attack

Input Amplifier f Amp Low Pass filter ADC

4

Ideally Actually !!" !!" "#!!" "#!!"+ "$!$!" + ⋯ %

%& = '()* ' + '()* (

%(%& = + ,-.2*

' + 0 ,-.2* ( + 1 ,-. * ' + * ( + 2 ,-. 3# − 3$

F1 F2

10k

Frequency

20k 30k 40k 50k 60k 70k 80k

(F1-F2)

Amplitude

Inaudible Audible

Microphone filter

How about Inaudible Attack through other media?

Diaphragm

Courtesy: modified image from “Inaudible voice commands: The long-range attack and defense”

slide-6
SLIDE 6

Inaudible Attack through other media (a table)

slide-7
SLIDE 7

Typical Attack Setup

Device Ultrasonic Guided Wave Laptop PZT transducer Table Cubicle Panel 6

Solid Materials as transmission media!

slide-8
SLIDE 8

SurfingAttack: Surfing Waves in Materials

None Line of Sight & Omni-directional Long Range Attack Attack multiple devices simultaneously

slide-9
SLIDE 9

SurfingAttack: Hidden Interactive Attack

Attack transducer and waveform generator are hidden under the desk

8

slide-10
SLIDE 10

9

slide-11
SLIDE 11

How it works?

slide-12
SLIDE 12

Ultrasonic Guided Waves: Lamb Waves

11

Guided Wave Probe

Sound wave dispersion Wave modes Material-dependent propagation

slide-13
SLIDE 13

Attack Wave Selection

Low dispersion

Low attenuation Easy excitability High attack signal reachability

12

Narrowband input signals

Lower-order Lamb wave modes (A0)

Circular piezoelectric disc (PZT)

Ultrasonic guided wave

slide-14
SLIDE 14

Attack Wave Generation

! " = 1 + & ∗ ( " ∗ ) " ∗ cos(2/0

5")

  • Goal: Preserve the similarity between the recovered voice

signal and the original voice signal:

Depth of modulation 0.8~1.0 Tukey Window Baseband Signal Central Frequency

13

Original Without Window

  • Optimize the central frequency, modulation depth, and

cosine fraction of Tukey Window by measuring the nonlinearity responses.

With Window OK, Google O…, oogle OK, Google

slide-15
SLIDE 15

Triggering Non-linearity Effect

14 1st harmonic 2nd harmonic Smartphone MEMS microphone Table PZT transducer

Baseband signal modulated to 25.3 kHz carrier/central frequency.

Baseband Voice Signal Recorded Voice Signal

slide-16
SLIDE 16

Attack System Design

Voice Commands TTS Module Speech Synthesis Voice Recording Controller

Interactive Voice Commands

15

Voice Response Transducer Tapping Device Signal Modulation & Voice Recording

Attack Device Package Signal Processor

slide-17
SLIDE 17

OK Google, Turn Volume to 3 Read my messages You have one text message. It’s from 347268, do you want to hear it? Sure It says …, do you want to reply, repeat it and just that for now? Cancel Cancelled OK Google, Turn Volume to 3 Call Sam with speakerphone OK, calling Sam with speakerphone Hi, Sam, I forgot the new access code of the lab, can you tell me? Sure, it is 2501. OK, thanks. You are welcome.

Sam Sam

Fraud call using synthetic voice of Alice Calling Sam

Sam

Hi, Alice.

Multi-round conversation to steal financial, trade secret, etc.

slide-18
SLIDE 18

Feasibility Across Different Smartphones

Manufacture Model Assistants Attack Frequency Attacks Recording Activation Recognition Google Pixel 1, 2, 3 Google 27-28 KHz Moto G5 Google 27.0 KHz Z4 Google 28.2 KHz Samsung Galaxy S7 Google 25.8 KHz Galaxy S9 Google 26.5 KHz Galaxy Note 10+ Google X Xiaomi Mi 5, 8 Google 25-28 KHz Huawei Mate 9 Google X Honor 10 Google 27.7 KHz Apple iPhone 5, 5s, 6+, X Siri 26-27 KHz

SurfingAttack succeeds on 15 out of 17 smartphones!

slide-19
SLIDE 19

Evaluation: Impact Analysis of Factors

  • Noise and Verbal Conversations
  • Directionality
  • Attack Distance
  • Table Materials
  • Lock Screen
  • Table Thicknesses
  • Interlayers on the Table
  • Phone Cases

18

slide-20
SLIDE 20

Evaluation: Attack Distance

0.2 0.4 0.6 0.8

Attack power (Watt)

100 200 300 400

Achievable attack distance (cm)

Reaching 30 feet (900cm+)

GWBP-AMP-X75 Power Amplifier

  • Maximum output power of 1.5W

(output voltage of 30V)

SurfingAttack attack distance reaches 30ft with 0.8W attack power. In comparison, over-air speaker array reaches 30ft with 6W attack power[1].

[1] Roy, N., Shen, S., Hassanieh, H., & Choudhury, R. R. (2018). Inaudible voice commands: The long-range attack and defense. In 15th USENIX Symposium on Networked Systems Design and Implementation (NSDI 18).

Saving attack power by 87%

slide-21
SLIDE 21

Evaluation: Impact of Table Materials

20 Impedance mismatch

The best energy delivery can be achieved when the table material is the same as the device body material. Porous structure absorbs ultrasound.

Aluminum Metal Sheet (0.3 mm) Steel Metal Sheet (0.8 mm) Glass (2.54 mm) MDF (5 mm) Rough polyethylene plastic (5 mm) Xiaomi Mi 5 910+ cm 95+ cm 85+ cm 50cm X Google Pixel 910+ cm 95+ cm 85+ cm 45cm X Samsung Galaxy S7 910+ cm 95+ cm 85+ cm 48cm X

slide-22
SLIDE 22

Evaluation: Lock Screen

The attack works on Voice Assistants even if the device is locked, if we enable voice assistants on the lock screen.

slide-23
SLIDE 23

How to defend?

slide-24
SLIDE 24

Countermeasure I

  • Keep an eye on your devices.
  • Reduce the touching surface area of your

phones with the table.

  • Place the device on a soft woven fabric

before touching the tabletops.

  • Use thicker phone cases made of

uncommon materials such as wood.

  • Disable your Voice Assistant on lock

screen and lock your device.

23

slide-25
SLIDE 25

Countermeasure II

  • Software-based Defense
  • Difference between recovered signal and the

baseband signal in spectrogram (10 – 20 kHz)

24

Recorded Normal Voice Recorded Attack Signal

slide-26
SLIDE 26

25

slide-27
SLIDE 27

Can We Attack Standing Voice Assistants?

Power Loss Power Loss Further increasing the power of ultrasound signals: the guided waves can be converted into in-air ultrasound signals.

slide-28
SLIDE 28

Conclusion

1. Explore the feasibility of launching inaudible ultrasonic attack leveraging ultrasonic guided waves through solid materials

  • 2. Enable conversations between the adversary and the voice

controllable device

  • 3. SurfingAttack successfully attacks 15 popular smartphones on

different solid materials and achieves 30ft long-range attack through a metal table with a low power profile.

Visit https://surfingattack.github.io/ for more information

27

slide-29
SLIDE 29

28

We are recruiting graduate students!