you don t hear me but your phone s voice interface does
play

You dont hear me but your phones voice interface does Jos L OPES E - PowerPoint PPT Presentation

Mar 25, 2024 •422 likes •838 views

You dont hear me but your phones voice interface does Jos L OPES E STEVES & Chaouki K ASMI Hack In Paris - 18/06/2015 WHO WE ARE Jos Lopes Esteves and Chaouki Kasmi ANSSI-FNISA / Wireless Security Lab Electromagnetic

  1. You don’t hear me but your phone’s voice interface does José L OPES E STEVES & Chaouki K ASMI Hack In Paris - 18/06/2015

  2. WHO WE ARE José Lopes Esteves and Chaouki Kasmi  ANSSI-FNISA / Wireless Security Lab  Electromagnetic threats on information systems  RF communications security  Embedded systems  Signal processing ANSSI 2

  3. AGENDA  Voice command interpreters  Voice and command injection  Attack scenarios  Countermeasures  Conclusion ANSSI 3

  4. Voice Command Interpreters Your phone hears …

  5. VOICE COMMAND INTERPRETERS  Definition  Commands scope  Activation conditions  Process description  Security ANSSI 5

  6. DEFINITION  Hands-free UI  More and more deployed  Smartphones, smartwatches, IoT, cars, desktop OS, browsers, apps …  Apple: Siri, VoiceControl  Microsoft: Speech, Cortana  Google: Google Voice Search  3rd party apps (e.g. Samsung S-Voice) ANSSI 6

  7. COMMANDS SCOPE  Telephony : calls, SMS…  Internet: browsing, emails, social networking, web searches, maps …  Local: launching/using apps, changing settings, creating notes, alarms, calendar entries… ANSSI 7

  8. ACTIVATION CONDITIONS  Always on: keyword ( OK Google , Hey Siri )  Via soft button: in specific applications  Via hard button: on phone or on headset remote ANSSI 8

  9. PROCESS  Local: keyword detection, limited actions  Remote: voice processing and command recognition 1 OK GOOGLE 2 Call Mom <Cmd: Call Mom> ANSSI 9

  10. SECURITY  Pre-auth actions (limited but still …): auth bypass [1]  Cloud based: malicious server responses [2]  Voice processing: privacy [3], biometric data  Local attacks: malicious app voice sending commands by audio front-end [4] ANSSI 10

  11. SECURITY  Pre-auth actions (limited but still …): auth bypass [1]  Cloud based: malicious server responses [2]  Voice processing: privacy [3], biometric data  Local attacks: malicious app voice sending commands by audio front-end [4]  Today: Remote and Silent Voice Command Injection by Smart IEMI ANSSI 11

  12. Voice and Command Injection But you don’t hear anything …

  13. VOICE COMMAND INJECTION  Smartphones, headsets, FM  Transmission principle and field to line coupling  Experimental setup  Results ANSSI 13

  14. SMARTPHONES, HEADSETS, FM  Some smartphones are FM radio capable  Use headphones cables as an antenna  Remote buttons change the signal on the MIC cable FM processing Voice processing Bandpass Lowpass Filter Filter FM Amplification Demodulation Audio IN Audio IN ANSSI 14

  15. SMARTPHONES, HEADSETS, FM  Some smartphones are FM radio capable  Use headphones cables as an antenna  Remote buttons change the signal on the MIC cable  Headphones are good [80MHz-108MHz] coupling interfaces  Maybe we can inject a signal interpreted as sound by abusing the low-pass filter with a VHF AM signal ANSSI 15

  16. SMARTPHONES, HEADSETS, FM  PoC: Main hypothesis Voice processing AM modulation Lowpass Filter Amplification 80-100 MHz CW Audio IN « OK GOOGLE » ANSSI 16

  17. EXPERIMENTAL SETUP  PoC: injecting music AM – 80-108MHz Wi-Fi Audio streaming Faraday Cage ANSSI 22

  18. EXPERIMENTAL SETUP  PoC: injecting commands ? AM – 80-108MHz Wi-Fi Internet access <Cmd: Call Mom> Faraday Cage Cloud ANSSI 24

  19. RESULTS  Activation (if needed):  CW (80-108MHz), Frequency modulated signal  Exploitation:  CW (80-108MHz), Amplitude modulated CW by audio voice commands  Electric field level/range:  28V/m at 100MHz (< than the human safety limit) ANSSI 25

  20. RESULTS  Limitations 2m  Antenna size (~30cm) 5m  Emitted power  E-field level/range  28V/m at 100MHz  Power level/range  40W/2m, 200W/5m ANSSI 26

  21. Attack scenarios … Silent and Remote Command Injection

  22. ATTACK SCENARIOS  Tracking  Eavesdropping  Cost abuse  Reputation / Phishing  Malicious app trigger  Advanced compromising ANSSI 28

  23. ATTACK SCENARIOS  Tracking  Activate wireless interfaces (Wi-Fi, BT)  Capture advertising packets (Probe Requests)  Use MAC addresses to identify  Use presence of packets to locate  Use Wi-Fi SSIDs to identify known locations  Demo: S-Voice bluetooth (de)activation Payload: Hi Galaxy – Bluetooth ANSSI 29

  24. ATTACK SCENARIOS  Eavesdropping  Place a call to a monitoring phone’s number  Simply listen to the target’s sound environment  Demo: placing a call Payload: Call « Mon Compte » (« My account ») ANSSI 30

  25. ATTACK SCENARIOS  Cost abuse  Massive attack in a crowded place  Place a call or a SMS to a paid service  Browse to some URL with ads  Demo: web browsing Payload: OK Google – Go to www.ssi.gouv.fr ANSSI 31

  26. ATTACK SCENARIOS  Reputation / Phishing  Create malicious content (embarrassing, phishing)  Send by SMS, email  Or publish to social media  Web/search history poisoning ANSSI 32

  27. ATTACK SCENARIOS  Malicious app trigger  Launch an already installed malicious application  Use voice input to trigger a payload  Launch a critical application (e.g. Sesame)  Demo: launching an application Payload: OK Google – Open Gmail ANSSI 33

  28. ATTACK SCENARIOS  Advanced compromising  Use voice command injection as a way to extend the attack surface (Interface activation, web browsing…)  Exploit vulnerabilities to compromise the device  Ex: silent application install via a malicious web page [5], local priviledge escalation…  Ex: wireless interface reset, capture initial exchange, exploit protocol weaknesses, rogue AP [6], launch an application … ANSSI 34

  29. Countermeasures Restrict, Detect and Alert

  30. COUNTERMEASURES  For  Users  Manufacturers/editors  To  Reduce attack surface  Limit impact  Increase attacker level  Detect the attack ANSSI 36

  31. USERS  Unplug headphones when not used  Use mic-less headphones  Only enable voice command when needed  Personalize keyword  Carefully select commands available (especially pre-auth)  Enable as many feedbacks as possible (sound, vibration…) ANSSI 37

  32. EDITORS  Limit critical commands available  Reduce audio front-end sensitivity  Voice recognition  Provide finer-grain settings to users  Detect abnormal EM activity with built-in sensors [7] ANSSI 38

  33. Conclusion

  34. CONCLUSION  Voice command interface IS critical and shall be correctly secured  Users: use it wisely  Editors: allow users to use it wisely and implement secure defaults  Researchers: take a look at it, it is a critical and complex command input interface ANSSI 40

  35. CONCLUSION  Smart IEMI can be an efficient attack vector against information systems  Not limited to DoS  More and more affordable (SDR…)  Take it into account for risk analysis ANSSI 41

  36. References

  37. REFERENCES [1] N. Gonzalez, Siri exploited again – how to bypass the lock screen in iOS 8 , ios.wonderhowto.com, 2014 [2] Applidium, Cracking Siri , GitHub, 2011 [3] W. Wei, Apple admits Siri voice data is being shared with third parties , www.hackernews.com, 2015 [4] W. Diao et al., Your Voice Assistant is Mine: How to Abuse Speakers to Steal Information and Control Your Ph one. SPSM 2014 [5] A. Moulu, Abusing Samsung KNOX to remotely install a malicious application , Quarkslab, 2014 [6] G. Wilkinson, The machines that betrayed their masters , BH Mobile Security Summit, 2015 [7] C. Kasmi, J. Lopes Esteves, Automated analysis of the effects induced by radio-frequency pulses on embedded systems for EMC safety , AT- RASC, URSI, 2015 ANSSI 43

  38. IMAGE CREDITS dailymail.co.uk, jimmymacsupport.com, scene7.com, wonderhowto.com, eroelectronic.net, dryicons.com, webniraj.com, shopify.com, icon100.com, icon8.com, tagstation.com, wikipedia.org ANSSI 44

  39. Thank You

  40. QUESTIONS ?  Jose Lopes Esteves, jose.lopes-esteves@ssi.gouv.fr  Chaouki Kasmi, chaouki.kasmi@ssi.gouv.fr ANSSI 46

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Biblical basics 1 Lord from the depths to thee I cry'd. 2 My voice, Lord, do thou hear: Unto my

Biblical basics 1 Lord from the depths to thee I cry'd. 2 My voice, Lord, do thou hear: Unto my

Faith Healing &amp; Evidence Based Medicine Biblical basics 1 Lord from the depths to thee I cry'd. 2 My voice, Lord, do thou hear: Unto my suplications voice Give an attentive ear 5 I wait for God, my soul doth wait, my hope is in his

748 views • 62 slides
Can You Hear Me Now? Making Your Voice Heard on the Hill and at Home National Community

Can You Hear Me Now? Making Your Voice Heard on the Hill and at Home National Community

Can You Hear Me Now? Making Your Voice Heard on the Hill and at Home National Community Pharmacists Association Legislative Conference May 12, 2015 National Journal Congressional Insiders Poll Republicans Democrats NFIB

876 views • 40 slides
Forums in the Developing World Aditya Vashistha Joint work with Bill Thies Voice Remains Primary

Forums in the Developing World Aditya Vashistha Joint work with Bill Thies Voice Remains Primary

Building Scalable and Distributed Voice Forums in the Developing World Aditya Vashistha Joint work with Bill Thies Voice Remains Primary Interface for Mobile Subscribers in India Most subscribers lack smart phones Smart Phone: &lt; 5%

467 views • 24 slides
Valuing the Student's Voice Through Assessment Lindsay Brissette Kim Charmatz, Ph.D. Elizabeth

Valuing the Student's Voice Through Assessment Lindsay Brissette Kim Charmatz, Ph.D. Elizabeth

Advising Valuing the Student's Voice Through Assessment Lindsay Brissette Kim Charmatz, Ph.D. Elizabeth Higgins, Ed.D. Lynsey Thibeault University of Southern Maine Your Voice We would love to hear your voice! To participate in our

720 views • 39 slides
Welcome! The Webinar will Begin Shortly Technical Assistance FAQs 1. Why cant I hear anything?

Welcome! The Webinar will Begin Shortly Technical Assistance FAQs 1. Why cant I hear anything?

Welcome! The Webinar will Begin Shortly Technical Assistance FAQs 1. Why cant I hear anything? Choose your audio connection by clicking on the phone icon at the bottom of the screen. There is NO hold music , so you will not hear anything

702 views • 53 slides
your computer or phone are turned up to hear clearly April 2020 Telehealth 101: What You Need to

your computer or phone are turned up to hear clearly April 2020 Telehealth 101: What You Need to

Thank you for joining! We will begin our Telehealth 101 webinar at 2:03 PM ET Before we begin please check that the sound levels on your computer or phone are turned up to hear clearly April 2020 Telehealth 101: What You Need to Know to Get

780 views • 40 slides
MAPS GSM A Interface Emulator GSM A Interface Emulation Over IP and TDM 818 West Diamond

MAPS GSM A Interface Emulator GSM A Interface Emulation Over IP and TDM 818 West Diamond

MAPS GSM A Interface Emulator GSM A Interface Emulation Over IP and TDM 818 West Diamond Avenue - Third Floor, Gaithersburg, MD 20878 Phone: (301) 670-4784 Fax: (301) 670-9187 Email: info@gl.com Website: http://www.gl.com 1 GSM A

583 views • 34 slides
Welcome! The Webinar will Begin Shortly Technical Assistance FAQs 1. Why cant I hear anything?

Welcome! The Webinar will Begin Shortly Technical Assistance FAQs 1. Why cant I hear anything?

Welcome! The Webinar will Begin Shortly Technical Assistance FAQs 1. Why cant I hear anything? To hear audio, use your phone to call toll-free : 1-855-749-4750 Enter Access code: 663 767 753 Enter Unique Attendee ID#: This can be

584 views • 54 slides
VOICE INTERFACE TO AN ON-LINE DICTIONARY by Mary E. Weber weber@isip.msstate.edu EE 4012

VOICE INTERFACE TO AN ON-LINE DICTIONARY by Mary E. Weber weber@isip.msstate.edu EE 4012

DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING VOICE INTERFACE TO AN ON-LINE DICTIONARY by Mary E. Weber weber@isip.msstate.edu EE 4012 Senior Design Project April 18th, 1996 Mississippi State University ABSTRACT In the era of natural

398 views • 14 slides
MAPS GSM Abis Interface Emulator Scripted GSM Abis Interface Emulation Over IP and TDM 818

MAPS GSM Abis Interface Emulator Scripted GSM Abis Interface Emulation Over IP and TDM 818

MAPS GSM Abis Interface Emulator Scripted GSM Abis Interface Emulation Over IP and TDM 818 West Diamond Avenue - Third Floor, Gaithersburg, MD 20878 Phone: (301) 670-4784 Fax: (301) 670-9187 Email: info@gl.com Website: http://www.gl.com 1

758 views • 28 slides
In game In launcher TV and Phone display the same, Phone as a Trackpad to swipe, touch or shake

In game In launcher TV and Phone display the same, Phone as a Trackpad to swipe, touch or shake

In game In launcher TV and Phone display the same, Phone as a Trackpad to swipe, touch or shake Phone as a controller, The user interface has only 3 level Small transparent circle on TV indicate position of your finger touch miniStation

720 views • 10 slides
MAPS LTE X2 Interface Emulator LTE X2 Application Protocol Interface Emulation 818 West

MAPS LTE X2 Interface Emulator LTE X2 Application Protocol Interface Emulation 818 West

MAPS LTE X2 Interface Emulator LTE X2 Application Protocol Interface Emulation 818 West Diamond Avenue - Third Floor, Gaithersburg, MD 20878 Phone: (301) 670-4784 Fax: (301) 670-9187 Email: info@gl.com Website: http://www.gl.com 1 MAPS

560 views • 22 slides
Engagement AUDIO PROBLEMS? Listen on your phone using the phone number provided. 7/24/2020 Zoom

Engagement AUDIO PROBLEMS? Listen on your phone using the phone number provided. 7/24/2020 Zoom

Business Continuity Best One More Voice: Practices for Remote Work Increasing Hoosier Civic Engagement AUDIO PROBLEMS? Listen on your phone using the phone number provided. 7/24/2020 Zoom Logistics All participants are currently muted.

831 views • 48 slides
DMR and Digital Voice Modes DMR and Digital Voice Modes DMR and Digital Voice Modes DMR and

DMR and Digital Voice Modes DMR and Digital Voice Modes DMR and Digital Voice Modes DMR and

DMR and Digital Voice Modes DMR and Digital Voice Modes DMR and Digital Voice Modes DMR and Digital Voice Modes Presented by N7MOT Lenny Gemar Amateur radio began with spark gap transmitters, evolving to Morse code and analog voice

442 views • 20 slides
I/O Bus and Interface Data Bus Addr Bus CPU Control Interface Interface Interface Interface

I/O Bus and Interface Data Bus Addr Bus CPU Control Interface Interface Interface Interface

I/O Bus and Interface Data Bus Addr Bus CPU Control Interface Interface Interface Interface Keyboard CD Hard Printer &amp; or Disk Display DVD Flaxer Eli - Computer Architecture Ch 8 - 1 Example: 8254 DB(0..7) DB 8254 IOR RD

453 views • 3 slides
Digital Voice VHF, UHF, and HF Analog Voice - AM/SSB Analog Voice - FM Digital Voice GMSK UHF

Digital Voice VHF, UHF, and HF Analog Voice - AM/SSB Analog Voice - FM Digital Voice GMSK UHF

Digital Voice VHF, UHF, and HF Analog Voice - AM/SSB Analog Voice - FM Digital Voice GMSK UHF 4FSK VHF C4FM AMBE, AMBE+2, Codec-2 HF OFDM Audio Vocoder Modulator Integrate data into protocol A/D Compressed 10101111010 Mic

729 views • 13 slides
The Development Of DAQ System For J-PARC K O TO Experiment Yasuyuki Sugiyama D1@Yamanaka Taku

The Development Of DAQ System For J-PARC K O TO Experiment Yasuyuki Sugiyama D1@Yamanaka Taku

The Development Of DAQ System For J-PARC K O TO Experiment Yasuyuki Sugiyama D1@Yamanaka Taku Lab. Year End report meeting 2010/12/19(Mon) 1 2011 12 19 1 Contents KOTO Experiment Trigger/Data Acquisition(DAQ)

735 views • 32 slides
A Virtualized Separation Kernel for Mixed Criticality Systems Ye Li, Richard West and Eric

A Virtualized Separation Kernel for Mixed Criticality Systems Ye Li, Richard West and Eric

Introduction Architecture Performance Conclusions Ongoing and Future Work A Virtualized Separation Kernel for Mixed Criticality Systems Ye Li, Richard West and Eric Missimer Boston University March 2nd, 2014 Introduction Architecture

449 views • 21 slides
Long term test of LED Long term test of LED pulsing pulsing Long time LED system stability

Long term test of LED Long term test of LED pulsing pulsing Long time LED system stability

Long term test of LED Long term test of LED pulsing pulsing Long time LED system stability measurement Aging of part of optical system Future plans Jaroslav Zalesak, Jan Smolik Institute of Physics ASCR, Prague Sep 13, 2007 CALICE

298 views • 11 slides
CAN/CANopen Tools, Interfaces and I/O Modules Pierre Baehler CERN/IT-Division December 9, 1998

CAN/CANopen Tools, Interfaces and I/O Modules Pierre Baehler CERN/IT-Division December 9, 1998

CAN/CANopen Tools, Interfaces and I/O Modules Pierre Baehler CERN/IT-Division December 9, 1998 CAN/CANopen Tools CAN/CANopen analyzer CANalyzer CANopen from Vector (Softing), (stzp) CANopen Electronic Data Sheet editor

239 views • 7 slides
Automatic Speech Recognition (CS753) Automatic Speech Recognition (CS753) Lecture 9: Brief

Automatic Speech Recognition (CS753) Automatic Speech Recognition (CS753) Lecture 9: Brief

Automatic Speech Recognition (CS753) Automatic Speech Recognition (CS753) Lecture 9: Brief Introduction to Neural Networks Instructor: Preethi Jyothi Feb 2, 2017 Final Project Landscape Tabla bol transcription Voice-based music Sanskrit

409 views • 17 slides
EN. 601.467/667 Introduc3on to Human Language Technology Deep Learning I Shinji Watanabe 1

EN. 601.467/667 Introduc3on to Human Language Technology Deep Learning I Shinji Watanabe 1

EN. 601.467/667 Introduc3on to Human Language Technology Deep Learning I Shinji Watanabe 1 Todays agenda Introduction of deep neural network Basics of neural network 2 Short bio Research interests Automatic speech

1.71k views • 62 slides
SDP Attribute for Qualifying Media Formats with Generic Parameters (gpmd)

SDP Attribute for Qualifying Media Formats with Generic Parameters (gpmd)

SDP Attribute for Qualifying Media Formats with Generic Parameters (gpmd) draft-rajeshkumar-mmusic-gpmd-02.txt 56th IETF March 17, 2003 Rajesh Kumar (rkumar@cisco.com) Flemming Andreasen (fandreas@cisco.com) Recap Definition of new

178 views • 7 slides
UMBC A B M A L T F O U M B C I M Y O R T 1 (4/3/08) I E S R C E O V U

UMBC A B M A L T F O U M B C I M Y O R T 1 (4/3/08) I E S R C E O V U

Digital Systems Transmission Lines VI CMPE 650 RC Region (dispersive transmission line) RC mode includes all combinations of and l for which the line behaves in a distributed manner . Also, the frequency remains well below the point at which

393 views • 24 slides

More recommend